[c-nsp] securing a vrrp setup

[Joerg Mayer]

On Fri, Dec 28, 2007 at 07:35:38PM +0800, bangky wrote:
> At the moment, I don't have a particular form of "attacker" in mind.
> I was just wondering if this could be a possible attack vector.
> As compared to the usual MAC address / ARP based techniques, this seems 
> like a more "silent" way to sit in a network and grab packets off the wire.
> 
> On the other hand though, I do agree with you that there are a lot more 
> things to worry about, some of which could probably be solved by 
> implementing 802.1x.
> 
> Returning to the original question of VRRP, does this effectively mean 
> that while being a useful technology, it lacks the ability to prevent 
> rogue routers from altering the topology of the network, as compared to 
> routing protocols whereby MD5 hashes can be used to prevent rogue 
> routing information from entering the routing information base?

A number of things:

1) It shouldn't be "more silent": Isn't there a syslog message/trap
   indicating that someone else has become master?
2) Use IPSEC with AH (as the RFC proposes)
3) Use port/vlan ACLs preventing a user port/address from sending
   VRRP packets.
4) Normally you don't use VRRP where you could use a routing protocol
   instead - in the default gateway for end user machines is not a
   scenario where you could (realistically) run a routing protocol,
   so you are comparing apples with oranges here.

    ciao
        Joerg
-- 
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.