[c-nsp] Securing OSPFv3 on 6500/7600 Routers?
Dobbins, Roland
rdobbins at arbor.net
Wed Jan 5 19:40:55 EST 2011
On Jan 6, 2011, at 7:24 AM, Pete Lumbis wrote:
> Off the top of my head I think the best bet would be Ipv6 ACLs that allow multicast ospf packets and only unicast ospf packets from known
> neighbors.
The biggest win in this regard is all the standard hardening/access BCPs for network infrastructure (iACLs, CoPP, DCN, et. al.), along with passiving OSPF on interfaces serving access networks.
If an attacker has reached the point that he's able to perturb/abuse the IGP sessions between routers in one's network, one has much more basic security problems than worrying about IPv6/OSPFv3 multicast filtering esoterica, heh.
------------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Most software today is very much like an Egyptian pyramid, with millions
of bricks piled on top of each other, with no structural integrity, but
just done by brute force and thousands of slaves.
-- Alan Kay
More information about the cisco-nsp
mailing list