Ran Atkinson wrote:
IMHO, any serious network operator using OSPF or BGP should have already deployed the techniques below (as applicable): OSPF with Keyed MD5 Authentication BGP-4 with the Keyed MD5 Authentication extension as a TCP option.
Well, it does not protect against the threat #1 -- namely source of perfectly good-looking but bogus routes. In fact, cryptography is not the best (or most useful) solution for protecting routing infrastructure from barge-in attacks. The real solutuion is very simple -- the packets carrying routing data should _not_ be routable. ARP is a good example. Unfortunately the present braindeadedness of IGPs which makes kludges like iBGP hack necessary makes multihop routing of network control information inevitable. I would say we should concentrate on fixing the original problem, not trying to patch holes in the broken-as-designed architecture.
WRT ISIS, lack of a CLNP infrastructure limits the ability of outsiders to attack a network. Nonetheless, ISIS should probably also get some kind of cryptographic authentication extension.
Heh. CLNP is quite widely routed. At some point it was very useful as a way to defeat access-filter based protection in ciscos (that was fixed, though). --vadim