[c-nsp] Securing OSPFv3 on 6500/7600 Routers?
Mikael Abrahamsson
swmike at swm.pp.se
Thu Jan 6 00:45:48 EST 2011
On Thu, 6 Jan 2011, Dobbins, Roland wrote:
> I'll buy that - but since I've yet to see/posit a practical attack on
> MD5-based IGP authentication, and since if an attacker has enough access
> to one's network infrastructure to play games with one's IGP, IGP
> authentication ought to be the least of one's worries, I somehow doubt
> it's worth the added complexity.
It's usually not about intentional attacks, it's also about unintentional
consequences of mistakes.
I've for instance seen mispatching of OC192 links from a DWDM provider
soour OC192 interface all of a suddent was connected to another ISPs OC192
interface.
I think it's a mistake of people implementing IPv6 protocols to design
them so that they have to rely on IPSEC for their
authentication/encryption, at least initially when IPSEC support seems to
be quite incomplete for platforms.
Short, not adding MD5 support in OSPFv3 was a design mistake, I'm sure it
looked good on paper but it's not good in real life.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the cisco-nsp
mailing list