On Sun, 18 Nov 2018 at 11:15, Mark Tinka <mark.tinka@seacom.mu> wrote:
Yes, IS-IS is designed to speak to connected hosts, but will only do so if you enable IS-IS on the interface facing that host. The scope of the exposure, while present, is limited to the radius between your device and the connected host, vs. OSPF which can be attacked from much farther away.
Should. OSPF you can protect in edge with ACL. In ISIS you hope it's protected. 7600 punts it in every interface, if one interface speaks ISIS, because it doesn't have per-interface punt masks. MX: 2012-10-18 0002096778/2012-1018-0446 (test13nqe3) (11.4R5) ++ytti * ISIS gets to control-plane, even when only family inet is configured This was fixed on later releases. Those are only two devices I've specifically tested for this. I don't think people know what happens to ISIS in their platform, if vendor doesn't know. I wonder what these nice BRCM kit do? I know that one of the more popular entrant can't be protected against ANY protocol until 2019Q1, and two of the networks I know running it in the edge, were entirely unaware of it. My point is, perhaps in theory ISIS is more secure, but in practice OSPF is, because OSPF can be protected perfectly in iACL, feature which is available in HW in cheapest L3 switches. Only reason people think different, is because they don't test it.
Running MD5 on your IGP (and iBGP) should be sold at birth.
Yes, or MacSec. -- ++ytti