[c-nsp] HSRP MD5 Authentication and 12.2(18)SX*

[David J. Hughes]

On 20/04/2006, at 6:11 PM, Gert Doering wrote:

> Hi,

Gday,


> Where exactly is the risk?
>
> "Your customer can kill his uplink connection".  OK, so who is he 
> hurting?
> Himself.  Tough.

Well, he can kill or capture the next hop of the vlan.  Capturing is 
more the concern I have.


> (You're not putting different customers into the same layer 3 network
> segment, are you?  If you do that, there are lots of other funny things
> that customers can do to each other - HSRP is one of your smaller 
> worries)

Yes, but when it isn't "your" data centre then sometimes you have to do 
things in ways you normally wouldn't choose to ;-)

IMHO, any protocol that spits it's password out onto the wire in plain 
text is broken.  When that protocol uses non-unicast packets to ensure 
that everyone can see the plain text password then It's more broken.  
The fact that a customer on any vlan that is smart enough to run 
ethereal can tell you what your HSRP password just makes you look bad.  
Sure, if they were smart they could do other things to hurt you, but in 
this situation the perception of a totally clueless customer could be 
that you are insecure - and lose you business.

Regardless of whether you run port level MAC security, or private vlans 
etc, anyone on the subnet can hose the next hop.  The fact that the 
situation could be avoided by using any auth scheme that wasn't a 
throw-back from the 1980's makes this just one more problem we 
shouldn't have to worry about anymore.  Yes, there are still others, 
but this one should be history by now.


David
...