[c-nsp] Securing OSPFv3 on 6500/7600 Routers?

Pete Lumbis alumbis at gmail.com
Wed Jan 5 19:24:38 EST 2011


Unfortunately OSPF unicast neighbors are only available for
non-broadcast network types.
http://www.cisco.com/en/US/docs/ios/iproute_ospf/configuration/guide/iro_cfg_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1054321

Off the top of my head I think the best bet would be Ipv6 ACLs that
allow multicast ospf packets and only unicast ospf packets from known
neighbors. This isn't 100% perfect since they will still try to
initate and can move out of INIT but the neighbor relationship will
never complete w/o the unicast exchange.

-Pete

On Wed, Jan 5, 2011 at 4:53 PM, Devon True <devon at noved.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pete,
>
>> You could use inbound ACLs or CoPP policies that restrict inbound
>> OSPF traffic from only the neighbors you know about.
>
> We have CoPP deployed, but it is not that restrictive today (since our
> v4 OSPF uses authentication).
>
>> You could also move to unicast OSPF neighbor relationships to prevent
>> any rogue OSPF speakers from peering.
>
> Most of our setups use Ethernet with the "network point-to-point"
> command since the routers are directly connected. Can you provide a link
> about the unicast OSPF neighbor relationship/configuration? My searching
> skills are failing me.
>
> - --
> Devon
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk0k6GQACgkQWP2WrBTHBS91YQCg6F+OaZJDW620C4i1PNP2M170
> MXwAoJ0hABV9ZTqoEc1BRzEN833zos3+
> =c4EK
> -----END PGP SIGNATURE-----
>


More information about the cisco-nsp mailing list