IGP protocol

Mark Tinka mark.tinka at seacom.mu
Sun Nov 18 15:35:29 UTC 2018


On 18/Nov/18 11:58, Saku Ytti wrote:

> Should. OSPF you can protect in edge with ACL. In ISIS you hope it's protected.
>
> 7600 punts it in every interface, if one interface speaks ISIS,
> because it doesn't have per-interface punt masks.
>
> MX:
> 2012-10-18 0002096778/2012-1018-0446 (test13nqe3) (11.4R5) ++ytti
>   * ISIS gets to control-plane, even when only family inet is configured
>
> This was fixed on later releases.

While this isn't cool, I don't see this as a major issue when put up
against any other nasty's you find in vendor implementations. Find a
problem, report it to the vendor, work with them to fix it, close the hole.

I've found my fair share of IS-IS bugs since I began using it back in
2007 (when SRC ruled the roost on 7200/7600). What matters is that stuff
gets fixed.

>
> My point is, perhaps in theory ISIS is more secure, but in practice
> OSPF is, because  OSPF can be protected perfectly in iACL,  feature
> which is available in HW in cheapest L3 switches. Only reason people
> think different, is because they don't test it.

I would not be opposed to spending some time with you to hit IS-IS on
vendor platforms with known bugs fixed to prove this point.

Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20181118/b9fff7b8/attachment.html>


More information about the NANOG mailing list