[afnog] Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency

Randy Bush randy at psg.com
Sat Jul 29 09:07:48 UTC 2017


>> what's OSPF?  is it something like IS-IS?  :)
> 
> I suppose one could protect themselves with ACL's in the appropriate
> places to keep unwanted OSPF traffic from entering the routing domain
> via external sources. But it does sound like quite a bit of work if it
> wasn't planned from the beginning. Either way, you'd want to have that
> if you want to remain secure and prefer not to use IS-IS.

we're both being too subtle.  as we teach in the workshops, is-is is not
subject to local or remote ip attacks for the simple reason it uses a
non-ip link local protocol, clnp.  it is also simpler and scales far
better than ospf.

but if you are paid by the hour and like complexity, ospf for the win.

randy



More information about the afnog mailing list