[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Using crypto auth for detecting corrupted IGP packets?

Subject: Using crypto auth for detecting corrupted IGP packets?
From: jared at puck.nether.net (Jared Mauch)
Date: Fri, 1 Oct 2010 00:25:34 -0400
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>


Sent from my iThing

On Oct 1, 2010, at 12:16 AM, Danny McPherson <danny at tcb.net> wrote:

> 
> On Sep 30, 2010, at 11:34 PM, Manav Bhatia wrote:
>> 
>> I would be interested in knowing if operators use the cryptographic
>> authentication for detecting the errors that i just described above.
> 
> Additionally, one might venture to understand the effects of such mechanisms and
> why knob's such as IS-IS's "ignore-lsp-errors" were added ~15 years ago.  LSP
> corruption storms driven by receivers that purge corrupted LSPs and originators that 
> re-originate and flood on receipt of said purged LSPs are very problematic and 
> otherwise difficult to identify in practice.  
> 
> Coincidentally, it's also why logging LSPs that trigger such errors is important, whether 
> you ignore them or propagate them.

I really wish there was a good way to (generically) keep a 4-6 hour buffer of all control-plane traffic on devices. While you can do that with some, the forensic value is immense when you have a problem.

- Jared
>

References:
- Using crypto auth for detecting corrupted IGP packets?
  - From: manavbhatia at gmail.com (Manav Bhatia)
- Using crypto auth for detecting corrupted IGP packets?
  - From: danny at tcb.net (Danny McPherson)

Prev by Date: Using crypto auth for detecting corrupted IGP packets?
Previous by thread: Using crypto auth for detecting corrupted IGP packets?
Index(es):
- Date
- Thread