|
»
« Return to Thread: draft-chunduri-isis-extended-sequence-no-tlv-00
Re: draft-chunduri-isis-extended-s
by Uma Chunduri
::
Rate this Message:
[CC'ed KARP too]
Hi Manav,
For your question as indicated in KARP WG
yesterday, we have added the applicability statement in the '01' version of the
draft (presented in ISIS WG).
Please
let us know if you have any further comments.
--
Uma C.
From: isis-wg-bounces@... [mailto:isis-wg-bounces@...] On Behalf Of Naiming Shen
Sent: Friday, October 28, 2011 2:10 PM
To: Manav Bhatia
Cc: isis
Subject: Re: [Isis-wg] draft-chunduri-isis-extended-sequence-no-tlv-00
I agree with Uma that if operators are concerned enough to put
authentication to prevent
hackers to inject their own isis packets, also to the point they are
worried the hmac-md5
might not be enough, or even be cracked, then they should definitely worry
about replay
since the hackers don't even need to forge their own packets in order to
cause disruption.
I did a quick Google search, actually there are many discussions online
about the issues
relate to the isis in PE-PC, thus it's probably not as rare as "don't ever
find".
Good question on what has been changed for ISIS in recent years. One major
thing,
the Data Center, the Cloud.
ISIS packet is no longer as 15 years ago only running over a few tier 1
ISP's backbones,
I'm sure you have been involved in introducing layer2, TRILL, OTV, etc into
ISIS protocol.
ISIS is currently running in some of the data centers ALREADY. On the same
rack, the switch
which runs ISIS may connect to all kinds of server blades belonging to
different admin domains.
If hackers often break into those servers to steal credit card numbers,
SSN, files, or
change webpage content to make statements, we probably don't want to insist
they have
no way to reach the switches just few inches above their servers, both
virtually and
physically.
We have seen how devastating when data center network is hosed. The recent
examples
of Amazon's cloud and RIM's network, I'm not saying those are security
related cases, but
it's probably not too hard to imagine what can bring some companies down or
generate
good WSJ stories these days in today's cyber space.
thanks.
- Naiming
On Oct 27, 2011, at 5:18 PM, Manav Bhatia wrote:
_______________________________________________Hi,We had considered adding support for replay protection when doing RFC 5310. The reason it was rejected was because we didnt think such an attack was really possible since (i) the attacker has to be on a direct link and (ii) ISIS is generally run in the service provider "core" router (you dont ever find it as a PE-CE protocol). So, i would first like to understand if something has changed between then and now to prompt a need for such a mechanism.OSPF is a different beast since OSPF packets can be launched from a site multiple hops away as they ride over IP - and adding mechanisms to prevent OSPF replays becomes significant. I would like to understand the motivation here.Cheers, Manav
Isis-wg mailing list
Isis-wg@...
https://www.ietf.org/mailman/listinfo/isis-wg
_______________________________________________
Isis-wg mailing list
Isis-wg@...
https://www.ietf.org/mailman/listinfo/isis-wg
« Return to Thread: draft-chunduri-isis-extended-sequence-no-tlv-00
| Free embeddable forum powered by Nabble | Forum Help |
