[29988] in North American Network Operators' Group
Re: IS-IS authentication
daemon@ATHENA.MIT.EDU (Danny McPherson)
Wed Jul 12 12:36:23 2000
Message-Id: <200007121635.KAA09667@tcb.net>
To: nanog@merit.edu
From: Danny McPherson <danny@tcb.net>
Reply-To: danny@tcb.net
Date: Wed, 12 Jul 2000 10:35:10 -0600
Errors-To: owner-nanog-outgoing@merit.edu
> The deployed form of IS-IS uses CLNP not IP for transmission,
> making it less vulnerable to inter-domain attacks -- provided
> that there is no inter-domain CLNP connectivity (generally
> true, but not always true). IS-IS is not particularly any
> less vulnerable from intra-domain attacks.
Actually, IS-IS runs directly over the link layer, it
doesn't employ CLNP or IP (unless you're using some
tunneling hack such as IS-IS over GRE, but...).
As for intra-domain CLNP packet forwarding, though a
few networks had supported this for a while, fewer (do
any?) ISPs do it today and most new IS-IS supporting
routers don't provide capability for anything other
than IP packet forwarding. As for inter-domain CLNP
-- ha :-)
> Hence, the IETF IS-IS WG has a draft proposal for adding OSPF-like
> MD5 authentication into IS-IS. The addition of MD5 authentication
> into IS-IS specifications was driven by some large Tier-1 ISPs
> who happen to use IS-IS internally and felt there was significant
> risk without it.
Oh, I certainly agree that it's useful, though IS-IS is clearly
not as vulnerable as IP-based protocols.
-danny
