[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IGP protocol

Subject: IGP protocol
From: mark.tinka at seacom.mu (Mark Tinka)
Date: Sun, 18 Nov 2018 11:11:47 +0200
In-reply-to: <CAAeewD_HFoupchpi_HR3ax6g6LJUif8AVp=O9S8SRP5EYmhhNQ@mail.gmail.com>
References: <CAH_tYHKhrwW3hXAig5KpzsDp+TvPwPc6dWdNeukxP=3XDv0qHA@mail.gmail.com> <[email protected]> <[email protected]> <CAAeewD_HFoupchpi_HR3ax6g6LJUif8AVp=O9S8SRP5EYmhhNQ@mail.gmail.com>

On 13/Nov/18 17:30, Saku Ytti wrote:

> Do you know connected host can't talk ISIS to you?
>
> ISIS is false security. In modern platforms OSPF almost always can be
> protected (iACL), ISIS in many times cannot. I'd run MD5 in either
> case.

Yes, IS-IS is designed to speak to connected hosts, but will only do so
if you enable IS-IS on the interface facing that host.

The scope of the exposure, while present, is limited to the radius
between your device and the connected host, vs. OSPF which can be
attacked from much farther away.

Running MD5 on your IGP (and iBGP) should be sold at birth.

Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20181118/9f3623bc/attachment.html>

Follow-Ups:
- IGP protocol
  - From: saku at ytti.fi (Saku Ytti)

References:
- IGP protocol
  - From: nanog at netfront.jp (im)
- IGP protocol
  - From: mark.tinka at seacom.mu (Mark Tinka)
- IGP protocol
  - From: ahebert at pubnix.net (Alain Hebert)
- IGP protocol
  - From: saku at ytti.fi (Saku Ytti)

Prev by Date: DAZN Geolocation issue
Next by Date: IGP protocol
Previous by thread: IGP protocol
Next by thread: IGP protocol
Index(es):
- Date
- Thread