mark.tinka at seacom.mu
Fri Oct 23 08:54:43 UTC 2015
On 23/Oct/15 10:48, Saku Ytti wrote:
> I believe this is because you need 802.3 (as opposed to EthernetII)
> and rudimentary CLNS implementation, both which are very annoying from
> programmer point of view.
I'm not really sure what the hold-up is, but I know Mikael, together
with the good folks at netDEF (Martin and Alistair) are working hard on
fixing these issues. While I have not had much time to provide them with
feedback on their progress, it is high on my agenda - not to mention
funding support for them will only help the cause.
> I hope ISIS would migrate to EthernetII and IP. From security point of
> view, people often state how it's better that it's not IP, but in
> reality, how many have verified the flip side of this proposal, how
> easy it is to protect yourself from ISIS attack from connected host?
> For some platforms the answer is, there is absolutely no way, and any
> connected host can bring you down with trivial amount of data.
Well, on the basis that an attack is made easier if you are running
IS-IS on a vulnerable interface, in theory, an attack would be highly
difficult if a vulnerable interface were not running IS-IS to begin with.
But I do not have any empirical data on any attempts to attack IS-IS,
successfully or otherwise. So your guess is as good as mine.
More information about the NANOG