Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-29 Thread adamv0025
> From: Saku Ytti [mailto:s...@ytti.fi] > Sent: Tuesday, May 23, 2017 11:16 AM > > On 23 May 2017 at 13:06, wrote: > > > Router listening for all IS m-cast MAC addresses on all interfaces rather > than solely on interfaces actually configured with ISIS seems like

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-29 Thread adamv0025
> Saku Ytti [mailto:s...@ytti.fi] > Sent: Friday, May 26, 2017 2:48 PM > > On 26 May 2017 at 14:44, wrote: > > Hey, > > > Regarding OSPF unless you are using virtual-links or sham-links, then > > all messages are bound to a directly connected subnet so you can >

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-26 Thread Saku Ytti
On 26 May 2017 at 14:44, wrote: Hey, > Regarding OSPF unless you are using virtual-links or sham-links, then all > messages are bound to a directly connected subnet so you can safely > implement the ttl check with 254 (one hop). This is implementation specific

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-26 Thread adamv0025
.@ytti.fi <mailto:s...@ytti.fi> > Sent: Tuesday, 23 May 2017 7:10 PM To: adamv0...@netconsultings.com <mailto:adamv0...@netconsultings.com> Cc: CiscoNSP List; cisco-nsp@puck.nether.net <mailto:cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] Best practise/security design for BG

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-25 Thread Saku Ytti
On 25 May 2017 at 14:28, CiscoNSP List wrote: > Thanks very much Saku - Ive googled, but not found anything confirming...but > ttl sec check under ospf, would it cause any issues with rLFA/FRR...i.e > dynamic creation of tunnels? No. rLFA is about having visibility

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-25 Thread CiscoNSP List
:23 PM To: CiscoNSP List Cc: adamv0...@netconsultings.com; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Best practise/security design for BGP and OSPF On 25 May 2017 at 05:25, CiscoNSP List <cisconsp_l...@hotmail.com> wrote: Hey, > but not XE? Regarding TTL(In both OSPF and BGP)..

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-25 Thread Saku Ytti
On 25 May 2017 at 05:25, CiscoNSP List wrote: Hey, > but not XE? Regarding TTL(In both OSPF and BGP)hop count can be > arbitrary, if we encounter a link failure...do we just use worse case In iBGP yes, in eBGP and OSPF usually no. Typical design guarantees

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-24 Thread CiscoNSP List
Tuesday, 23 May 2017 7:10 PM To: adamv0...@netconsultings.com Cc: CiscoNSP List; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Best practise/security design for BGP and OSPF On 23 May 2017 at 12:00, <adamv0...@netconsultings.com> wrote: Hey, > Regarding OSPF, > Best security is to u

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-23 Thread Saku Ytti
On 23 May 2017 at 13:06, wrote: > Router listening for all IS m-cast MAC addresses on all interfaces rather > than solely on interfaces actually configured with ISIS seems like a bug. Not all HW support per-port punt-masks. So if you have to punt ISIS frames on

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-23 Thread adamv0025
> Saku Ytti [mailto:s...@ytti.fi] > Sent: Tuesday, May 23, 2017 10:11 AM > > On 23 May 2017 at 12:00, wrote: > > Hey, > > > Regarding OSPF, > > Best security is to use it solely for routing PE loopbacks (i.e. no > > connectivity outside the core). > > But

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-23 Thread Saku Ytti
On 23 May 2017 at 12:00, wrote: Hey, > Regarding OSPF, > Best security is to use it solely for routing PE loopbacks (i.e. no > connectivity outside the core). But because it's IP, you might receive spooffed packet further down the line and believe you received it

Re: [c-nsp] Best practise/security design for BGP and OSPF

2017-05-23 Thread adamv0025
> CiscoNSP List > Sent: Tuesday, May 23, 2017 7:45 AM > > Hi Everyone, > > Just doing a bit of a refresh of our current bgp+ospf templates to ensure > they are inline with todays "best pracitse" > > (I have googled this, but majority of the exmaples are from circa 2012 or > earlierso hoping

[c-nsp] Best practise/security design for BGP and OSPF

2017-05-23 Thread CiscoNSP List
Hi Everyone, Just doing a bit of a refresh of our current bgp+ospf templates to ensure they are inline with todays "best pracitse" (I have googled this, but majority of the exmaples are from circa 2012 or earlierso hoping someone can provide some feebdack :) Current BGP (We use RR's with