Network Security in SPB

[bibi75]

Hello,
I'm currently working for my dissertation, and I choose to deal with the Shortest Path bridging. For my last part, I want to add a topic on the security in my SPB Fabric.

Let's take a simple example :
Someone, no matther how, could learn our SPB configuration and now, he want to add his own switch to the fabric. Do we have a mechanism to prevent from that type of attack ?

Anyway, I want to (try) prevent to any type of attack in my network fabric. Do you have any solution in Avaya switch to do so ?
Do you have any advice on that part for my dissertation ?

PS : I've already known the MACsec to encrypt point-to-point on interfaces.

[Blair]

There's a feature called IS-IS hello authentication that you can enable on your IS-IS NNI interfaces.
This will prevent an adjacency being formed unless the keys match on both ends.
It's sensible to use MACSec also presuming this doesn't introduce issues for your environment (frame size overhead, some ports do not support this etc).

Note that the implementation of this had an issue in 4.2.1.0 and 4.2.1.1, so you need to make sure both ends are matched on fixed or non-fixed versions or they wont negotiate properly.

[Dominik]

besides the already mentioned features like MACSEC and ISIS hello authentication
the main line of defence is to hide your SPB from the Attacker so that he is not aware of that there is an
SPB fabric, this conceptr is called "staelth networking".

If you configure only the Interfaces that are connected to another ISIS NNI Link with ISIS enabled you minimise the attack vector significantly.

If you hide the fact that you have an ISIS / SPB fabric to all the access ports than it is hard for an attacker
to start an targeted attack against your infrastructure.

Cheers