[c-nsp] ISIS authentication

Saku Ytti saku at ytti.fi
Fri Sep 21 10:46:48 EDT 2012


On (2012-09-21 16:36 +0200), Adam Vitkovsky wrote:

> I'd like to hear the other's opinion on IGP authentication in the core in
> general

I would do MD5 for hello and lsp in ISIS. It's not hard to config, as it
does not require downtime.

Maybe some old link is repurposed as core link and you leave isis config
active there or maybe someone pastes isis config in wrong interface. If
provisioning is done by hand it's not very far-fetched scenario.

And there is one really annoying attack vector in ISIS, reflood all LSPs
with bogus information and maximum LSP seq# and your whole network is down.
You can't even fix the situation by reloading your boxes.

What you need to do is
1)  identify the culprit and stop it
2a) reload whole core simultaneously
2b) change each NET address one by one
-- 
  ++ytti


More information about the cisco-nsp mailing list