Re: IGP protocol

[Mark Tinka <mark.tinka () seacom mu>]

On 18/Nov/18 11:58, Saku Ytti wrote:

> Should. OSPF you can protect in edge with ACL. In ISIS you hope it's protected.
>
> 7600 punts it in every interface, if one interface speaks ISIS,
> because it doesn't have per-interface punt masks.
>
> MX:
> 2012-10-18 0002096778/2012-1018-0446 (test13nqe3) (11.4R5) ++ytti
>   * ISIS gets to control-plane, even when only family inet is configured
>
> This was fixed on later releases.

While this isn't cool, I don't see this as a major issue when put up
against any other nasty's you find in vendor implementations. Find a
problem, report it to the vendor, work with them to fix it, close the hole.

I've found my fair share of IS-IS bugs since I began using it back in
2007 (when SRC ruled the roost on 7200/7600). What matters is that stuff
gets fixed.

> My point is, perhaps in theory ISIS is more secure, but in practice
> OSPF is, because  OSPF can be protected perfectly in iACL,  feature
> which is available in HW in cheapest L3 switches. Only reason people
> think different, is because they don't test it.

I would not be opposed to spending some time with you to hit IS-IS on
vendor platforms with known bugs fixed to prove this point.

Mark.