On 23/Oct/15 10:48, Saku Ytti wrote:
I believe this is because you need 802.3 (as opposed to EthernetII) and rudimentary CLNS implementation, both which are very annoying from programmer point of view.
I'm not really sure what the hold-up is, but I know Mikael, together with the good folks at netDEF (Martin and Alistair) are working hard on fixing these issues. While I have not had much time to provide them with feedback on their progress, it is high on my agenda - not to mention funding support for them will only help the cause.
I hope ISIS would migrate to EthernetII and IP. From security point of view, people often state how it's better that it's not IP, but in reality, how many have verified the flip side of this proposal, how easy it is to protect yourself from ISIS attack from connected host? For some platforms the answer is, there is absolutely no way, and any connected host can bring you down with trivial amount of data.
Well, on the basis that an attack is made easier if you are running IS-IS on a vulnerable interface, in theory, an attack would be highly difficult if a vulnerable interface were not running IS-IS to begin with. But I do not have any empirical data on any attempts to attack IS-IS, successfully or otherwise. So your guess is as good as mine. Mark.