Home page logo
/

nanog logo nanog mailing list archives

Re: IS-IS protocol implementation problem
From: smd () clock org
Date: Sun, 29 Oct 2000 18:00:19 -0800


| Because IS-IS is an IGP protocol, it does not propagate between
| providers.

This is not the reason why it will not propagate between separate ASes.
The "saving factor" here is that nobody really routes CLNS natively,
and therefore, the maximum hop-count of a CLNS datagram is 1.

It would be possible to cascade an IS-IS problem across multiple
separate ASes in the unfortunate event that more than one AS
treated a single LAN (e.g. an IX) or point-to-point link as an
internal one across which IS-IS is run, with the same key.
This kind of mutual poisoning between separate ASes happens with some
regularity, amusingly often with RIP as the IGP.

An IGP based on a natively routed protocol (including routed CLNS)
widens the scope for inter-AS poisoning.  This is why it is important
to have good authentication in one's IGP.  Unfortunately, *no* IGPs
currently in wide use have any such thing. :-(

For clarity, a separate AS is really short hand for, "a collection
of routers participating in a common IGP instantiation"; there are
cases where different ASes (in the BGP sense) share a common IGP.
Also, "propagating between providers" seems to ignore the fact that there
are single providers who have multiple IGP instantiations.

        Sean.

P.S.: any chance you can be a bit more concrete about what's happening?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]