Agree, that't why using p2p has been mentioned as BCP in networking "howto's" for at least last 10 years.
Regards, Jeff On Aug 4, 2013, at 3:14 AM, "Saku Ytti" <s...@ytti.fi> wrote: > On (2013-08-04 05:01 -0500), Jimmy Hess wrote: > >> I would say the risk score of the advisory is overstated. And if you >> think "ospf is secure" against LAN activity after any patch, that >> would be wishful thinking. Someone just rediscovered one of the >> countless innumerable holes in the back of the cardboard box and tried >> covering it with duck tape... > > I tend to agree. OTOH I'm not 100% sure if it's unexploitable outside LAN > via unicast OSPF packets. > But like you say MD5 offers some level of protection. I wish there would be > some KDF for IGP KARP so that each LSA would actually have unique > not-to-be-repeated password, so even if someone gets copy of one LSA and > calculates out the MD5 it won't be relevant anymore. > > L2 is very dangerous in any platform I've tried, access to L2 and you can > usually DoS the neighbouring router, even when optimally configured > CoPP/Lo0 filter. > > -- > ++ytti >
