mark.tinka at seacom.mu
Sun Nov 18 15:35:29 UTC 2018
On 18/Nov/18 11:58, Saku Ytti wrote:
> Should. OSPF you can protect in edge with ACL. In ISIS you hope it's protected.
> 7600 punts it in every interface, if one interface speaks ISIS,
> because it doesn't have per-interface punt masks.
> 2012-10-18 0002096778/2012-1018-0446 (test13nqe3) (11.4R5) ++ytti
> * ISIS gets to control-plane, even when only family inet is configured
> This was fixed on later releases.
While this isn't cool, I don't see this as a major issue when put up
against any other nasty's you find in vendor implementations. Find a
problem, report it to the vendor, work with them to fix it, close the hole.
I've found my fair share of IS-IS bugs since I began using it back in
2007 (when SRC ruled the roost on 7200/7600). What matters is that stuff
> My point is, perhaps in theory ISIS is more secure, but in practice
> OSPF is, because OSPF can be protected perfectly in iACL, feature
> which is available in HW in cheapest L3 switches. Only reason people
> think different, is because they don't test it.
I would not be opposed to spending some time with you to hit IS-IS on
vendor platforms with known bugs fixed to prove this point.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG