On 18/Nov/18 11:58, Saku Ytti wrote:
> Should. OSPF you can protect in edge with ACL. In ISIS you hope it's > protected. > > 7600 punts it in every interface, if one interface speaks ISIS, > because it doesn't have per-interface punt masks. > > MX: > 2012-10-18 0002096778/2012-1018-0446 (test13nqe3) (11.4R5) ++ytti > * ISIS gets to control-plane, even when only family inet is configured > > This was fixed on later releases. While this isn't cool, I don't see this as a major issue when put up against any other nasty's you find in vendor implementations. Find a problem, report it to the vendor, work with them to fix it, close the hole. I've found my fair share of IS-IS bugs since I began using it back in 2007 (when SRC ruled the roost on 7200/7600). What matters is that stuff gets fixed. > > My point is, perhaps in theory ISIS is more secure, but in practice > OSPF is, because OSPF can be protected perfectly in iACL, feature > which is available in HW in cheapest L3 switches. Only reason people > think different, is because they don't test it. I would not be opposed to spending some time with you to hit IS-IS on vendor platforms with known bugs fixed to prove this point. Mark.
