The MPLS WG Archive

[Tony Przygienda <prz@net4u.ch>]

> >> Not true - there are BIG security advantages to not having is-is over ip.
> >> It rules out a huge class of spoofing attacks to which OSPF is
> >> vulnerable.
> > last I checked nobody saw them
> 
> i assure you that the ops community, at least the wiser part of it, sees
> them.

I didn't argue that they don't _exist_, I argued that I didn't hear of many
incidents where ISP OSPF backbones were target of such attacks (contrary to
some fancy BGP TCP attacks ;-) And if such attacks are being performed and 
I'm unaware of those, doing things like dropping OSPF packets with TTL>1
(with necessary exceptions) is a fairly trivial fix on the fast-path 
for many vendors. 

> > And even if, running proper security in your routing protocol is a pretty
> > good answer to that ...
> 
> except the beast does not exist.  md5 sigs are not considered strong.

about 1 1/2 years ago there was some wind that some guy came close to crack
MD5 with serious computing power but didn't happen as far I heard. 

I get the impression that we're arguing here for the sake of the argument now
and not the technical content anymore, so that's my last e-mail on this
thread.

BTW, Randy and others, 
pls subscribe to isis-wg list if you keep posting to it, otherwise
it's quite a pain to let e-mails of non-subscribers in since we're running it
moderated (which is a very good solution, thanks to Juniper hosting it ;-)

	-- tony