The deployed form of IS-IS uses CLNP not IP for transmission, making it less vulnerable to inter-domain attacks -- provided that there is no inter-domain CLNP connectivity (generally true, but not always true). IS-IS is not particularly any less vulnerable from intra-domain attacks.
Actually, IS-IS runs directly over the link layer, it doesn't employ CLNP or IP (unless you're using some tunneling hack such as IS-IS over GRE, but...). As for intra-domain CLNP packet forwarding, though a few networks had supported this for a while, fewer (do any?) ISPs do it today and most new IS-IS supporting routers don't provide capability for anything other than IP packet forwarding. As for inter-domain CLNP -- ha :-)
Hence, the IETF IS-IS WG has a draft proposal for adding OSPF-like MD5 authentication into IS-IS. The addition of MD5 authentication into IS-IS specifications was driven by some large Tier-1 ISPs who happen to use IS-IS internally and felt there was significant risk without it.
Oh, I certainly agree that it's useful, though IS-IS is clearly not as vulnerable as IP-based protocols. -danny
participants (1)
-
Danny McPherson