[c-nsp] Securing OSPFv3 on 6500/7600 Routers?

Andriy Bilous andriy.bilous at gmail.com
Thu Jan 6 04:30:35 EST 2011


There is also instance-id

R5(config-if)#ipv6 ospf 1 area 0 instance ?
  <0-255>  Instance ID

which you could call "poor man's plain-text authentication" in a
desperate attempt to prevent disasters caused by situations like the
one Mikael described. Neighbors with different instance-ids won't form
adjacencies. Can also be used on broadcast segments. Clearly not a
security feature by any means, could be helpfull though.

On Wed, Jan 5, 2011 at 10:53 PM, Devon True <devon at noved.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pete,
>
>> You could use inbound ACLs or CoPP policies that restrict inbound
>> OSPF traffic from only the neighbors you know about.
>
> We have CoPP deployed, but it is not that restrictive today (since our
> v4 OSPF uses authentication).
>
>> You could also move to unicast OSPF neighbor relationships to prevent
>> any rogue OSPF speakers from peering.
>
> Most of our setups use Ethernet with the "network point-to-point"
> command since the routers are directly connected. Can you provide a link
> about the unicast OSPF neighbor relationship/configuration? My searching
> skills are failing me.
>
> - --
> Devon
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk0k6GQACgkQWP2WrBTHBS91YQCg6F+OaZJDW620C4i1PNP2M170
> MXwAoJ0hABV9ZTqoEc1BRzEN833zos3+
> =c4EK
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list