[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IGP protocol
- Subject: IGP protocol
- From: mark.tinka at seacom.mu (Mark Tinka)
- Date: Sun, 18 Nov 2018 17:35:29 +0200
- In-reply-to: <CAAeewD_sdx_jB=8mGyop=kWyKSbZ+VUrw=mWkSnZ6N_aDhvOLg@mail.gmail.com>
- References: <CAH_tYHKhrwW3hXAig5KpzsDp+TvPwPc6dWdNeukxP=3XDv0qHA@mail.gmail.com> <[email protected]> <[email protected]> <CAAeewD_HFoupchpi_HR3ax6g6LJUif8AVp=O9S8SRP5EYmhhNQ@mail.gmail.com> <[email protected]> <CAAeewD_sdx_jB=8mGyop=kWyKSbZ+VUrw=mWkSnZ6N_aDhvOLg@mail.gmail.com>
On 18/Nov/18 11:58, Saku Ytti wrote:
> Should. OSPF you can protect in edge with ACL. In ISIS you hope it's protected.
>
> 7600 punts it in every interface, if one interface speaks ISIS,
> because it doesn't have per-interface punt masks.
>
> MX:
> 2012-10-18 0002096778/2012-1018-0446 (test13nqe3) (11.4R5) ++ytti
> * ISIS gets to control-plane, even when only family inet is configured
>
> This was fixed on later releases.
While this isn't cool, I don't see this as a major issue when put up
against any other nasty's you find in vendor implementations. Find a
problem, report it to the vendor, work with them to fix it, close the hole.
I've found my fair share of IS-IS bugs since I began using it back in
2007 (when SRC ruled the roost on 7200/7600). What matters is that stuff
gets fixed.
>
> My point is, perhaps in theory ISIS is more secure, but in practice
> OSPF is, because OSPF can be protected perfectly in iACL, feature
> which is available in HW in cheapest L3 switches. Only reason people
> think different, is because they don't test it.
I would not be opposed to spending some time with you to hit IS-IS on
vendor platforms with known bugs fixed to prove this point.
Mark.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20181118/b9fff7b8/attachment.html>