On (2012-11-26 14:55 +0530), Iftekhar Ahmad khan wrote: > Please help to understand this > > IS-IS can never be *routed beyond the immediate next hop *and hence > shielded from IP spoofing and similar Denial of Service attacks.
What they mean is, ISIS is not riding on top of IP, so you cannot use any IP based attacks on it. It is however using CLNS which is perfectly routable, even globally, but usually you're using private scope addresses and not having any network interconnects with it. Today ISIS actually is typically less secure than OSPF as in most platforms OSPF can be protected by control-plane protection while ISIS cannot. I've personally only taken close look at 7600/PFC3 and MX/Trio where this is true, but I expect this to be true on most platforms, except maybe ASR9k/CRS. -- ++ytti _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
