IGP protocol

Saku Ytti saku at ytti.fi
Sun Nov 18 09:58:22 UTC 2018

On Sun, 18 Nov 2018 at 11:15, Mark Tinka <mark.tinka at seacom.mu> wrote:

> Yes, IS-IS is designed to speak to connected hosts, but will only do so if you enable IS-IS on the interface facing that host.
> The scope of the exposure, while present, is limited to the radius between your device and the connected host, vs. OSPF which can be attacked from much farther away.

Should. OSPF you can protect in edge with ACL. In ISIS you hope it's protected.

7600 punts it in every interface, if one interface speaks ISIS,
because it doesn't have per-interface punt masks.

2012-10-18 0002096778/2012-1018-0446 (test13nqe3) (11.4R5) ++ytti
  * ISIS gets to control-plane, even when only family inet is configured

This was fixed on later releases.

Those are only two devices I've specifically tested for this. I don't
think people know what happens to ISIS in their platform, if vendor
doesn't know. I wonder what these nice BRCM kit do? I know that one of
the more popular entrant can't be protected against ANY protocol until
2019Q1, and two of the networks I know running it in the edge, were
entirely unaware of it.

My point is, perhaps in theory ISIS is more secure, but in practice
OSPF is, because  OSPF can be protected perfectly in iACL,  feature
which is available in HW in cheapest L3 switches. Only reason people
think different, is because they don't test it.

> Running MD5 on your IGP (and iBGP) should be sold at birth.

Yes, or MacSec.


More information about the NANOG mailing list