clear forwarding route
Hi, I would like understand the circumstances under which an operator may want to clear all (or a subset of) the routes programmed in the forwarding table (FIB). I believe the command to do this on Cisco is clear forwarding {ipv4 | ipv6} route {* | prefix} [vrf vrf-name] module {slot| all} I ask this since doing this would result in the router dropping all transit traffic till the routes get reprogrammed in the FIB. Why would somebody ever want to do this? One scenario that i can think of is when because of a bug a route does not get programmed in the FIB and the operator uses this command to install this once again the FIB. Thanks, Manav
Re: Using crypto auth for detecting corrupted IGP packets?
Hi, I received 7 replies of which 3 stated that they were using crypto to only detect the issues that i have described in my email below. Another 3 said that they were using it for authentication and 1 person replied saying that they were using crypto for both authentication and integrity. Folks who are using cryptographic authentication mechanisms only for integrity may want to look at http://www.ietf.org/id/draft-jakma-ospf-integrity-00.txt Cheers, Manav On Fri, Oct 1, 2010 at 9:04 AM, Manav Bhatia manavbha...@gmail.com wrote: Hi, I believe, based on what i have heard, that some operators turn on cryptographic authentication because the internet checksum that OSPF, etc use for packet sanity is quite weak and offers trifle little protection against lot of known errors like: - re-ordering of 2-byte aligned words - various bit flips that keep the 1s complement sum the same (e.g. 0x to 0x and vice versa) So a corrupted packet could still pass the ethernet CRC checks and IP and OSPF checksums. Or it could be valid till the ethernet CRC check is done and gets corrupted after that (PCI transmission errors, DMA errors, memory issues, line card corruption and last but not the least, CRCs and internet checksums could miss wire-corrupted packets) Currently an operator can do the following: - Use the poor internet checksum OR - Turn on cryptographic authentication in the routing protocols to catch all such bit errors which could be caused by line card corruption, etc. One can go through http://portal.acm.org/citation.cfm?id=294357.294364 to understand the issues with the internet checksums. I would be interested in knowing if operators use the cryptographic authentication for detecting the errors that i just described above. You could send me a mail offline and i will consolidate the responses and send a summary on the list in a few days time. Cheers, Manav
Re: Using crypto auth for detecting corrupted IGP packets?
Buffering for 4-6 hours worth of control traffic is HUGE! If 4-6 hours of *control-plane* traffic on a given device is 'HUGE!', for some reasonable modern value of 'HUGE!', then there's definitely a problem on the network in question. With BFD alone (assuming 20 sessions, 50ms timer) you will have 400pps. In 6 hours you will have around 8000K BFD packets. Add OSPF, RSVP, BGP, LACP (for lags), dot1AG, EFM and you would really get a significant number of packets to buffer. Cheers, Manav
Re: OSPFv3 Authentication
Hi, I received 12 responses for the query that i had put up. o 1 response stated that the provider was using IS-IS for IPv6 and not using any authentication. o 7 responses where OSPFv3 was being used without any authentication. o 2 responses where OSPFv3 is being used with authentication o 2 responses where they were using OSPFv2 with authentication turned on. I asked the 7 people who had replied in negative about why they were not using authentication with OSPFv3. 5 responded stating a mix of the following reasons: o IPsec not available on all platforms o IPsec required interoperability testing, which was perceived as a hassle o Troubleshooting becomes much harder. OSPF operation should be kept as simple as possible, especially when used in the core. o Complex configuration o Required coordination between different boxes which is a deterrent. o IPSec on some platforms requires a special license which can be expensive. o Unsure of how well is the IPsec implemented on the boxes Cheers, Manav On Tue, Sep 28, 2010 at 5:33 AM, Manav Bhatia manavbha...@gmail.com wrote: Hi, I am doing a survey and was interested in knowing if network operators are using OSPFv3 with authentication [RFC 4552] turned on? I know that most providers turn on authentication with OSPFv2, but given that OSPFv3 needs IPsec integration and can thus get little cumbersome to configure, wanted to understand if a similar % of folks also turn on authentication for OSPFv3? You can unicast me your responses (if you dont wish to share it on the list) and i will collate all data and post a summary on the list. Cheers, Manav
Using crypto auth for detecting corrupted IGP packets?
Hi, I believe, based on what i have heard, that some operators turn on cryptographic authentication because the internet checksum that OSPF, etc use for packet sanity is quite weak and offers trifle little protection against lot of known errors like: - re-ordering of 2-byte aligned words - various bit flips that keep the 1s complement sum the same (e.g. 0x to 0x and vice versa) So a corrupted packet could still pass the ethernet CRC checks and IP and OSPF checksums. Or it could be valid till the ethernet CRC check is done and gets corrupted after that (PCI transmission errors, DMA errors, memory issues, line card corruption and last but not the least, CRCs and internet checksums could miss wire-corrupted packets) Currently an operator can do the following: - Use the poor internet checksum OR - Turn on cryptographic authentication in the routing protocols to catch all such bit errors which could be caused by line card corruption, etc. One can go through http://portal.acm.org/citation.cfm?id=294357.294364 to understand the issues with the internet checksums. I would be interested in knowing if operators use the cryptographic authentication for detecting the errors that i just described above. You could send me a mail offline and i will consolidate the responses and send a summary on the list in a few days time. Cheers, Manav
Re: Using crypto auth for detecting corrupted IGP packets?
I really wish there was a good way to (generically) keep a 4-6 hour buffer of all control-plane traffic on devices. While you can do that with some, the forensic value is immense when you have a problem. Buffering for 4-6 hours worth of control traffic is HUGE! What about mirroring your control traffic arriving on your network ports to some other dedicated port? Manav
OSPFv3 Authentication
Hi, I am doing a survey and was interested in knowing if network operators are using OSPFv3 with authentication [RFC 4552] turned on? I know that most providers turn on authentication with OSPFv2, but given that OSPFv3 needs IPsec integration and can thus get little cumbersome to configure, wanted to understand if a similar % of folks also turn on authentication for OSPFv3? You can unicast me your responses (if you dont wish to share it on the list) and i will collate all data and post a summary on the list. Cheers, Manav