[c-nsp] securing a vrrp setup
Gert Doering
gert at greenie.muc.de
Fri Dec 28 05:37:14 EST 2007
Hi,
On Fri, Dec 28, 2007 at 05:13:55PM +0800, bangky wrote:
> I am looking into how to secure a VRRP setup.
> Could someone please let me know whether it's possible to prevent a
> rouge router from taking over as the VRRP master?
When I read questions like this, I always wonder "yes, someone could
do this, but for what goal?".
When we do VRRP setups towards our customers, the only person that
would be able to do VRRP spoofing is the customer itself (only one
customer per L3 segment) - and all they could achieve is "drop themselves
off the network", for which there are easier means ("unplug their
ethernet cable").
If you put different customers into the same L3 segment, there are other
fun ways that one of them can do mischief, like "use an IP address that
belongs to another customer", "ARP spoofing" (to sniff/interject traffic),
etc.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20071228/8f60a87c/attachment.bin
More information about the cisco-nsp
mailing list