[c-nsp] Best practise/security design for BGP and OSPF
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Tue May 23 06:06:17 EDT 2017
> Saku Ytti [mailto:saku at ytti.fi]
> Sent: Tuesday, May 23, 2017 10:11 AM
>
> On 23 May 2017 at 12:00, <adamv0025 at netconsultings.com> wrote:
>
> Hey,
>
> > Regarding OSPF,
> > Best security is to use it solely for routing PE loopbacks (i.e. no
> > connectivity outside the core).
>
> But because it's IP, you might receive spooffed packet further down the line
> and believe you received it from far-end. So OP's question about TTL-security
> is valid one, and I'd support that. I'd also run
> MD5 auth.
> But of course if you have good iACL, stopping internet from sending other
> than ICMP, UDP highports to links and loops, you should be pretty safe.
>
Yes while on it, tightening iACLs on all edge ports is also key.
> ISIS and OSPF have quite interesting properties, ISIS is more secure out-of-
> the-box, but in many cases you cannot stop box from punting CLNS packets,
> so any edge-interface may reach control-plane by crafted CLNS packets
> (without ISIS being configured on the interface).
> Where-as OSPF out-of-the-box is less secure due to IP, but pretty much
> every box supports ACLs, allowing you to consistently protect box.'
>
Router listening for all IS m-cast MAC addresses on all interfaces rather than solely on interfaces actually configured with ISIS seems like a bug.
adam
netconsultings.com
::carrier-class solutions for the telecommunications industry::
More information about the cisco-nsp
mailing list