VRRP IPv6 authentication

Latest reply: Dec 24, 2018 09:21:46 413 2 1 0
Could not configure IPv6 authentication in my network where there is already a VRRP running for IPv4.


I typed the command below followed by question mark and noticed there are no paramenters for authentication of VRRP6.

[CE12800]vrrp6 vrid 2 ?

  admin         Specify the administrator VRRP6

  join          Join to load-balance VRRP

  load-balance  Specify load balance mode

  preempt       Specify preempt mode

  priority      Specify priority

  timer         Specify timer

  track         Specify track configuration

  virtual-ip    Specify a virtual IP address

  <cr>          


After searching the documentation and thinking that IPv6 already have the Authentication Header included in the IP packet, so it's more secure than IPv4, checked the IANA webside for RFC5798. There I found that actually the VRRP has removed any type of authentication for both IPv4 and IPv6 later versions. Only IPv4 early versions still support it.


9. Security Considerations

VRRP for IPvX does not currently include any type of authentication. Earlier versions of the VRRP (for IPv4) specification included several types of authentication ranging from none to strong. Operational experience and further analysis determined that these did not provide sufficient security to overcome the vulnerability of misconfigured secrets, causing multiple Masters to be elected. Due to the nature of the VRRP protocol, even if VRRP messages are cryptographically protected, it does not prevent hostile nodes from behaving as if they are a VRRP Master, creating multiple Masters. Authentication of VRRP messages could have prevented a hostile node from causing all properly functioning routers from going into Backup state. However, having multiple Masters can cause as much disruption as no routers, which authentication cannot prevent. Also, even if a hostile node could not disrupt VRRP, it can disrupt ARP and create the same effect as having all routers go into Backup.

Source: https://tools.ietf.org/html/rfc5798#section-9

  It should be noted that these attacks are not worse and are a subset
   of the attacks that any node attached to a LAN can do independently
   of VRRP.  The kind of attacks a malicious node on a LAN can do
   include promiscuously receiving packets for any router's MAC address;
   sending packets with the router's MAC address as the source MAC
   address in the L2 header to tell the L2 switches to send packets
   addressed to the router to the malicious node instead of the router;
   send redirects to tell the hosts to send their traffic somewhere
   else; send unsolicited ND replies; answer ND requests; etc.  All of
   this can be done independently of implementing VRRP.  VRRP does not
   add to these vulnerabilities.
  • x
  • convention:

Created Dec 22, 2018 16:56:47 Helpful(0) Helpful(0)

thanks for sharing ,
  • x
  • convention:

Created Dec 24, 2018 09:21:46 Helpful(0) Helpful(0)

Learn more, great
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top