On Sun, 18 Nov 2018 at 21:07, Grant Taylor via NANOG wrote:
> Is it not possible to protect (just) the eBGP with IPsec?
Not on all gears SPs are deploying. But people doing this.
> I would think that IPsec would provide the desired protection and that
> tuning filters to the proper ports would
Warning: n00b level question, ignore at your own discretion.
On 11/18/18 3:59 AM, Saku Ytti wrote:
Not arguing that MacSec isn't superior feature, it's just cost of MacSec
is non-trivial compared to cost of HMAC-MD5, and it seems HMAC-MD5
for certain attacks is strong guarantee. Ideally we'd
On Sun, 18 Nov 2018 at 17:35, Mark Tinka wrote:
> I've found my fair share of IS-IS bugs since I began using it back in 2007
> (when SRC ruled the roost on 7200/7600). What matters is that stuff gets
> fixed.
In 7600 it is simply not possible because of hardware limitation. I'd
be surprised
On 18/Nov/18 13:13, Nick Hilliard wrote:
>
>
> one of the few uses for tcp/md5 protection on bgp sessions can be
> found at IXPs where if you have an participant leaving the fabric,
> there will often be leftover bgp sessions configured on other routers
> on the exchange. Pre-configuring
On 18/Nov/18 11:58, Saku Ytti wrote:
> Should. OSPF you can protect in edge with ACL. In ISIS you hope it's
> protected.
>
> 7600 punts it in every interface, if one interface speaks ISIS,
> because it doesn't have per-interface punt masks.
>
> MX:
> 2012-10-18 0002096778/2012-1018-0446
Saku Ytti wrote on 18/11/2018 10:59:
AFAIK there are no known attacks against HMAC-MD5. eBGP I don't care
about. But for iBGP I consider this a problem:
one of the few uses for tcp/md5 protection on bgp sessions can be found
at IXPs where if you have an participant leaving the fabric, there
On Sun, 18 Nov 2018 at 12:15, Alfie Pates wrote:
> There's a school of thought which suggests MD5 security on single-hop BGP is
> absolute theatre with no security benefit and that MACsec is the route you
> should be taking.
AFAIK there are no known attacks against HMAC-MD5. eBGP I don't care
> or MacSec
There's a school of thought which suggests MD5 security on single-hop BGP is
absolute theatre with no security benefit and that MACsec is the route you
should be taking.
~ a
On Sun, 18 Nov 2018 at 11:15, Mark Tinka wrote:
> Yes, IS-IS is designed to speak to connected hosts, but will only do so if
> you enable IS-IS on the interface facing that host.
> The scope of the exposure, while present, is limited to the radius between
> your device and the connected host,
On 16/Nov/18 15:04, Victor Kuarsingh wrote:
> 3. Based on your vendor preference / selection, how well does each
> fair on your platform of choice ? (Most major vendors do a good job on
> both, but there are considerations)
IS-IS is notoriously bad in Quagga.
I met with some of the
On 14/Nov/18 02:24, im wrote:
> Thanks for all to letting me know.
>
> I have operating OSPF/iBGP backbone for 10+ years, now my brain has
> entrenched to OSPF.
> Now, I beginning to learn IS-IS for more knowledge.
More power to you :-).
Mark.
On 13/Nov/18 17:30, Saku Ytti wrote:
> Do you know connected host can't talk ISIS to you?
>
> ISIS is false security. In modern platforms OSPF almost always can be
> protected (iACL), ISIS in many times cannot. I'd run MD5 in either
> case.
Yes, IS-IS is designed to speak to connected hosts,
12 matches
Mail list logo
