Den 11. nov. 2016 06.41 skrev "Mark Tinka" <mark.tinka@seacom.mu>:
On 10/Nov/16 21:43, Baldur Norddahl wrote:
And at the day work I also prefer OSPFv2 simply because I do not need
more protocols in the stack. We are running a MPLS network with the internet service in a L3VPN. IPv6 is also in the L3VPN. This means the underlying network is pure IPv4 and totally isolated from the internet. Why make it more complicated by introducing something that is not IP based?
I'd counter that "Why not make it less complicating by removing an
easily-reachable attack vector?"
Sure, you can easily protect your OSPF domain from external attack, but
that's something your router CPU and/or data plane would have to deal with it had to, and we've all seen situations where filters break in certain code for various reasons. Or vendors change the way filtering works in newer code without properly notifying customers about such changes.
Mark.
No filters. There are just no routes that will take a network packet that arrive on an interface in VRF internet and move it to an interface in VRF default without adding a MPLS header to mark the VRF. With the MPLS header the packet type is no longer IPv4 but MPLS. Therefore there is no way you from the internet or from a customer link can even attempt to inject packets that would be received by the OSPF process. Since we use 10.0.0.0/8 and our vrf internet has no such route, you would just get no route to host if you tried. Regards Baldur