[c-nsp] Best practise/security design for BGP and OSPF

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Tue May 23 06:06:17 EDT 2017


> Saku Ytti [mailto:saku at ytti.fi]
> Sent: Tuesday, May 23, 2017 10:11 AM
> 
> On 23 May 2017 at 12:00,  <adamv0025 at netconsultings.com> wrote:
> 
> Hey,
> 
> > Regarding OSPF,
> > Best security is to use it solely for routing PE loopbacks (i.e. no
> > connectivity outside the core).
> 
> But because it's IP, you might receive spooffed packet further down the line
> and believe you received it from far-end. So OP's question about TTL-security
> is valid one, and I'd support that. I'd also run
> MD5 auth.
> But of course if you have good iACL, stopping internet from sending other
> than ICMP, UDP highports to links and loops, you should be pretty safe.
>
Yes while on it, tightening iACLs on all edge ports is also key.

> ISIS and OSPF have quite interesting properties, ISIS is more secure out-of-
> the-box, but in many cases you cannot stop box from punting CLNS packets,
> so any edge-interface may reach control-plane by crafted CLNS packets
> (without ISIS being configured on the interface).
> Where-as OSPF out-of-the-box is less secure due to IP, but pretty much
> every box supports ACLs, allowing you to consistently protect box.'
> 
Router listening for all IS m-cast MAC addresses on all interfaces rather than solely on interfaces actually configured with ISIS seems like a bug. 

adam

netconsultings.com
::carrier-class solutions for the telecommunications industry::




More information about the cisco-nsp mailing list