North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IS-IS authentication
> The deployed form of IS-IS uses CLNP not IP for transmission, > making it less vulnerable to inter-domain attacks -- provided > that there is no inter-domain CLNP connectivity (generally > true, but not always true). IS-IS is not particularly any > less vulnerable from intra-domain attacks. Actually, IS-IS runs directly over the link layer, it doesn't employ CLNP or IP (unless you're using some tunneling hack such as IS-IS over GRE, but...). As for intra-domain CLNP packet forwarding, though a few networks had supported this for a while, fewer (do any?) ISPs do it today and most new IS-IS supporting routers don't provide capability for anything other than IP packet forwarding. As for inter-domain CLNP -- ha :-) > Hence, the IETF IS-IS WG has a draft proposal for adding OSPF-like > MD5 authentication into IS-IS. The addition of MD5 authentication > into IS-IS specifications was driven by some large Tier-1 ISPs > who happen to use IS-IS internally and felt there was significant > risk without it. Oh, I certainly agree that it's useful, though IS-IS is clearly not as vulnerable as IP-based protocols. -danny
|