North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security inside AS

  • From: Glen Kent
  • Date: Sun Jan 22 23:24:33 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IURriLCzwBDzRousmR5cFV7749tc3r4km4CJOdsTJwIXeNKOVj7vwcn5IcV0otV8ZXtc3aCqlIVrSJgD144qKWEWcbZd2zeWJi3uc2qnwO2CB6sgxZelmNy6WqPMV0I4qymljlWsI9hVM1AG0mBgLvLD2Cj2HPungOFUMqFEVdE=

Yes - we do for IBGP, IS-IS, OSPF (where relevent), also LDP,
HSRP, and anything else that offers the feature (even cleartext).
It proves a useful guard against misconfiguration, as well as
preventing certain security issues.
--
> Just one more question. What kind of misconfiguration isues does using
> passwords/authentication solve/prevent?
>
> In IS-IS there are no anti-replay attacks support. Have you heard
> anyone facing replay attacks in IS-IS, or any other protocol for that
> matter.

It stops you bringing up adjacencies where the link/circuit has been
mis-patched/mis-provisioned - at turn up time and once in service.
We once had a supplier screw up an in-service core OC-3 such that it came
up connected inside another ISPs core (!) - ppp auth would have helped
here too, though it was HDLC at the time.

I'm not too worried about IS-IS replay - it's much harder to get the
nasty traffic into the core, than with IP.

--
We do IGP routing protocol authentication on every LAN/MAN/WAN in the
105 offices I am responsible for.  But we are a customer, not an
external public ISP.

--
> But do we really have service providers who enable authentication
> (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?

Yes, esp for ospf as it can be attacked from off-link.
--
Glen,

You mean: are there ISP's who don't?

I would like to protect my infra to easy mistakes like forgetting to
make an interface passive and exidently connecting my igp to a
customers.

So: md5 it is. :)
--

> But do we really have service providers who enable authentication
> (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?

Yes, we do.  Approx 500 IGP-speaking devices and OSPF.
--

> But do we really have service providers who enable authentication
> (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?

       Yes, i know of several providers who do this.

--

> But do we really have service providers who enable authentication
> (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?
>

Yes, I've always used MD5 with OSPF and I've even been paranoid
enough to filter routing protocols at my network edges.

Cheers,
Glen

--

> Glen,
>
> Good question! I'm also trying to figure out how much this is used internally. Could you send a summary to the list (or privately)?
>