[130301] in North American Network Operators' Group
Re: Using crypto auth for detecting corrupted IGP packets?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Fri Oct 1 00:24:08 2010
In-Reply-To: <E3FE0ACF-F996-42E0-8F3B-5D3EDBE21902@tcb.net>
From: Jared Mauch <jared@puck.nether.net>
Date: Fri, 1 Oct 2010 00:25:34 -0400
To: Danny McPherson <danny@tcb.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Sent from my iThing
On Oct 1, 2010, at 12:16 AM, Danny McPherson <danny@tcb.net> wrote:
>=20
> On Sep 30, 2010, at 11:34 PM, Manav Bhatia wrote:
>>=20
>> I would be interested in knowing if operators use the cryptographic
>> authentication for detecting the errors that i just described above.
>=20
> Additionally, one might venture to understand the effects of such mechanis=
ms and
> why knob's such as IS-IS's "ignore-lsp-errors" were added ~15 years ago. L=
SP
> corruption storms driven by receivers that purge corrupted LSPs and origin=
ators that=20
> re-originate and flood on receipt of said purged LSPs are very problematic=
and=20
> otherwise difficult to identify in practice. =20
>=20
> Coincidentally, it's also why logging LSPs that trigger such errors is imp=
ortant, whether=20
> you ignore them or propagate them.
I really wish there was a good way to (generically) keep a 4-6 hour buffer o=
f all control-plane traffic on devices. While you can do that with some, the=
forensic value is immense when you have a problem.
- Jared
>=20
