[c-nsp] ISIS authentication

Adam Vitkovsky adam.vitkovsky at swan.sk
Fri Sep 21 11:12:04 EDT 2012


OMG 
I shouldn't know this now I'll have nightmares for the rest of my life
Ok Lesson learned

adam

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Saku Ytti
Sent: Friday, September 21, 2012 4:47 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ISIS authentication

On (2012-09-21 16:36 +0200), Adam Vitkovsky wrote:

> I'd like to hear the other's opinion on IGP authentication in the core 
> in general

I would do MD5 for hello and lsp in ISIS. It's not hard to config, as it
does not require downtime.

Maybe some old link is repurposed as core link and you leave isis config
active there or maybe someone pastes isis config in wrong interface. If
provisioning is done by hand it's not very far-fetched scenario.

And there is one really annoying attack vector in ISIS, reflood all LSPs
with bogus information and maximum LSP seq# and your whole network is down.
You can't even fix the situation by reloading your boxes.

What you need to do is
1)  identify the culprit and stop it
2a) reload whole core simultaneously
2b) change each NET address one by one
--
  ++ytti
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list