[c-nsp] ISIS routing

Saku Ytti saku at ytti.fi
Mon Nov 26 04:47:11 EST 2012


On (2012-11-26 14:55 +0530), Iftekhar Ahmad khan wrote:

> Please help to understand this
> 
> IS-IS can never be *routed beyond the immediate next hop *and hence
> shielded from IP spoofing and similar Denial of Service attacks.

What they mean is, ISIS is not riding on top of IP, so you cannot use any
IP based attacks on it.

It is however using CLNS which is perfectly routable, even globally, but
usually you're using private scope addresses and not having any network
interconnects with it.

Today ISIS actually is typically less secure than OSPF as in most platforms
OSPF can be protected by control-plane protection while ISIS cannot. I've
personally only taken close look at 7600/PFC3 and MX/Trio where this is
true, but I expect this to be true on most platforms, except maybe
ASR9k/CRS.


-- 
  ++ytti


More information about the cisco-nsp mailing list