<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 18/Nov/18 11:58, Saku Ytti wrote:<br>
<br>
</div>
<blockquote type="cite"
cite="mid:CAAeewD_sdx_jB=8mGyop=kWyKSbZ+VUrw=mWkSnZ6N_aDhvOLg@mail.gmail.com">
<pre class="moz-quote-pre" wrap="">
Should. OSPF you can protect in edge with ACL. In ISIS you hope it's protected.
7600 punts it in every interface, if one interface speaks ISIS,
because it doesn't have per-interface punt masks.
MX:
2012-10-18 0002096778/2012-1018-0446 (test13nqe3) (11.4R5) ++ytti
* ISIS gets to control-plane, even when only family inet is configured
This was fixed on later releases.</pre>
</blockquote>
<br>
<font face="Tahoma">While this isn't cool, I don't see this as a
major issue when put up against any other nasty's you find in
vendor implementations. Find a problem, report it to the vendor,
work with them to fix it, close the hole.<br>
<br>
I've found my fair share of IS-IS bugs since I began using it back
in 2007 (when SRC ruled the roost on 7200/7600). What matters is
that stuff gets fixed.<br>
<br>
</font>
<blockquote type="cite"
cite="mid:CAAeewD_sdx_jB=8mGyop=kWyKSbZ+VUrw=mWkSnZ6N_aDhvOLg@mail.gmail.com">
<pre class="moz-quote-pre" wrap="">
My point is, perhaps in theory ISIS is more secure, but in practice
OSPF is, because OSPF can be protected perfectly in iACL, feature
which is available in HW in cheapest L3 switches. Only reason people
think different, is because they don't test it.</pre>
</blockquote>
<br>
<font face="Tahoma">I would not be opposed to spending some time
with you to hit IS-IS on vendor platforms with known bugs fixed to
prove this point.<br>
<br>
Mark.</font><br>
</body>
</html>