[88143] in North American Network Operators' Group
Re: Security inside AS
daemon@ATHENA.MIT.EDU (Glen Kent)
Sun Jan 22 23:23:46 2006
Date: Mon, 23 Jan 2006 09:53:13 +0530
From: Glen Kent <glen.kent@gmail.com>
To: NANOG list <nanog@merit.edu>
In-Reply-To: <4.3.2.7.2.20060120092528.03cc0e28@email.cisco.com>
Errors-To: owner-nanog@merit.edu
Yes - we do for IBGP, IS-IS, OSPF (where relevent), also LDP,
HSRP, and anything else that offers the feature (even cleartext).
It proves a useful guard against misconfiguration, as well as
preventing certain security issues.
--
> Just one more question. What kind of misconfiguration isues does using
> passwords/authentication solve/prevent?
>
> In IS-IS there are no anti-replay attacks support. Have you heard
> anyone facing replay attacks in IS-IS, or any other protocol for that
> matter.
It stops you bringing up adjacencies where the link/circuit has been
mis-patched/mis-provisioned - at turn up time and once in service.
We once had a supplier screw up an in-service core OC-3 such that it came
up connected inside another ISPs core (!) - ppp auth would have helped
here too, though it was HDLC at the time.
I'm not too worried about IS-IS replay - it's much harder to get the
nasty traffic into the core, than with IP.
--
We do IGP routing protocol authentication on every LAN/MAN/WAN in the
105 offices I am responsible for. But we are a customer, not an
external public ISP.
--
> But do we really have service providers who enable authentication
> (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?
Yes, esp for ospf as it can be attacked from off-link.
--
Glen,
You mean: are there ISP's who don't?
I would like to protect my infra to easy mistakes like forgetting to
make an interface passive and exidently connecting my igp to a
customers.
So: md5 it is. :)
--
> But do we really have service providers who enable authentication
> (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?
Yes, we do. Approx 500 IGP-speaking devices and OSPF.
--
> But do we really have service providers who enable authentication
> (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?
Yes, i know of several providers who do this.
--
> But do we really have service providers who enable authentication
> (MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?
>
Yes, I've always used MD5 with OSPF and I've even been paranoid
enough to filter routing protocols at my network edges.
Cheers,
Glen
--
> Glen,
>
> Good question! I'm also trying to figure out how much this is used intern=
ally. Could you send a summary to the list (or privately)?
>
