Yes - we do for IBGP, IS-IS, OSPF (where relevent), also LDP, HSRP, and anything else that offers the feature (even cleartext). It proves a useful guard against misconfiguration, as well as preventing certain security issues. --
Just one more question. What kind of misconfiguration isues does using passwords/authentication solve/prevent?
In IS-IS there are no anti-replay attacks support. Have you heard anyone facing replay attacks in IS-IS, or any other protocol for that matter.
It stops you bringing up adjacencies where the link/circuit has been mis-patched/mis-provisioned - at turn up time and once in service. We once had a supplier screw up an in-service core OC-3 such that it came up connected inside another ISPs core (!) - ppp auth would have helped here too, though it was HDLC at the time. I'm not too worried about IS-IS replay - it's much harder to get the nasty traffic into the core, than with IP. -- We do IGP routing protocol authentication on every LAN/MAN/WAN in the 105 offices I am responsible for. But we are a customer, not an external public ISP. --
But do we really have service providers who enable authentication (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?
Yes, esp for ospf as it can be attacked from off-link. -- Glen, You mean: are there ISP's who don't? I would like to protect my infra to easy mistakes like forgetting to make an interface passive and exidently connecting my igp to a customers. So: md5 it is. :) --
But do we really have service providers who enable authentication (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?
Yes, we do. Approx 500 IGP-speaking devices and OSPF. --
But do we really have service providers who enable authentication (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?
Yes, i know of several providers who do this. --
But do we really have service providers who enable authentication (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?
Yes, I've always used MD5 with OSPF and I've even been paranoid enough to filter routing protocols at my network edges. Cheers, Glen --
Glen,
Good question! I'm also trying to figure out how much this is used internally. Could you send a summary to the list (or privately)?
participants (1)
-
Glen Kent