[192688] in North American Network Operators' Group
Re: OSPF vs ISIS - Which do you prefer & why?
daemon@ATHENA.MIT.EDU (Baldur Norddahl)
Sat Nov 12 09:07:55 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Baldur Norddahl <baldur.norddahl@gmail.com>
Date: Sat, 12 Nov 2016 15:07:46 +0100
In-Reply-To: <e8278d0e-a129-417a-8b2b-07225ee5d657@seacom.mu>
Errors-To: nanog-bounces@nanog.org
Den 11/11/2016 kl. 11.20 skrev Mark Tinka:
>
>
> On 11/Nov/16 12:07, Baldur Norddahl wrote:
>
>> No filters. There are just no routes that will take a network packet that
>> arrive on an interface in VRF internet and move it to an interface in VRF
>> default without adding a MPLS header to mark the VRF. With the MPLS header
>> the packet type is no longer IPv4 but MPLS.
>>
>> Therefore there is no way you from the internet or from a customer link can
>> even attempt to inject packets that would be received by the OSPF process.
>> Since we use 10.0.0.0/8 and our vrf internet has no such route, you would
>> just get no route to host if you tried.
>
> Good for you.
>
> We don't run the whole "Internet in a VRF" architecture (too many
> moving parts), so not having our IGP being exposed to IP helps :-).
Internet in a VRF just works and it is not at all complicated. I will
recommend it for anyone which has the equipment that can do it. I do
realise that not everyone can do this however.
I have not studied OSPFv3 in detail but it appears that only IPv6 link
local addresses are used. Since that can not be routed, I do not think
OSPFv3 exposes anything to the Internet. I would probably go with OSPFv3
if I had to configure a network without VRF support.
If I was coding an OSPFv3 daemon I would make it bind only to link local
addresses on interfaces, which will guarantee that no traffic is
received from outsiders.
Regards,
Baldur
