[184856] in North American Network Operators' Group
Re: IGP choice
daemon@ATHENA.MIT.EDU (Mark Tinka)
Fri Oct 23 04:54:51 2015
X-Original-To: nanog@nanog.org
To: Saku Ytti <saku@ytti.fi>
From: Mark Tinka <mark.tinka@seacom.mu>
Date: Fri, 23 Oct 2015 10:54:43 +0200
In-Reply-To: <CAAeewD83Z8zuEfA5ymhPx8wUxe4siLWkW1fqJDmSiDFXaDv7Fg@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 23/Oct/15 10:48, Saku Ytti wrote:
> I believe this is because you need 802.3 (as opposed to EthernetII)
> and rudimentary CLNS implementation, both which are very annoying from
> programmer point of view.
I'm not really sure what the hold-up is, but I know Mikael, together
with the good folks at netDEF (Martin and Alistair) are working hard on
fixing these issues. While I have not had much time to provide them with
feedback on their progress, it is high on my agenda - not to mention
funding support for them will only help the cause.
> I hope ISIS would migrate to EthernetII and IP. From security point of
> view, people often state how it's better that it's not IP, but in
> reality, how many have verified the flip side of this proposal, how
> easy it is to protect yourself from ISIS attack from connected host?
> For some platforms the answer is, there is absolutely no way, and any
> connected host can bring you down with trivial amount of data.
Well, on the basis that an attack is made easier if you are running
IS-IS on a vulnerable interface, in theory, an attack would be highly
difficult if a vulnerable interface were not running IS-IS to begin with.
But I do not have any empirical data on any attempts to attack IS-IS,
successfully or otherwise. So your guess is as good as mine.
Mark.
