Hello Manav,
First I will have to ask this question:
Do you think service providers ever use keyed authentication
(either 5304 or SHA family 5310)? Why?
Uma
Hi,
We had considered adding support for replay protection when doing RFC 5310.
The reason it was rejected was because we didnt think such an attack was really
possible since (i) the attacker has to be on a direct link and (ii) ISIS is
generally run in the service provider "core" router (you dont ever find it as a
PE-CE protocol). So, i would first like to understand if something has changed
between then and now to prompt a need for such a mechanism.
OSPF is a different beast since OSPF packets can be launched from a site
multiple hops away as they ride over IP - and adding mechanisms to prevent OSPF
replays becomes significant. I would like to understand the motivation
here.
Cheers, Manav
_______________________________________________
Isis-wg mailing list
Isis-wg@...
https://www.ietf.org/mailman/listinfo/isis-wg
