[c-nsp] securing a vrrp setup

[bangky]

Hi Gert,

Thanks for your reply again.

At the moment, I don't have a particular form of "attacker" in mind.
I was just wondering if this could be a possible attack vector.
As compared to the usual MAC address / ARP based techniques, this seems 
like a more "silent" way to sit in a network and grab packets off the wire.

On the other hand though, I do agree with you that there are a lot more 
things to worry about, some of which could probably be solved by 
implementing 802.1x.

Returning to the original question of VRRP, does this effectively mean 
that while being a useful technology, it lacks the ability to prevent 
rogue routers from altering the topology of the network, as compared to 
routing protocols whereby MD5 hashes can be used to prevent rogue 
routing information from entering the routing information base?

Looking forward to your reply. Thank you.

--
bangky



Gert Doering wrote:
> Hi,
>
> On Fri, Dec 28, 2007 at 06:45:29PM +0800, bangky wrote:
>   
>>     When I read questions like this, I always wonder "yes, someone could
>>     do this, but for what goal?".
>>
>> Sorry if the first email wasn't very specific.
>> What I'm looking at is securing a VRRP setup within a LAN, and not in a 
>> WAN envrionment.
>>
>> What I'm worried about is that by adding a rogue router to the network, 
>> an attacker would be able to direct traffic through the rogue router, 
>> thus effectively being able to execute man-in-the-middle attacks, or at 
>> the very least, sniff packets off the wire. 
>>     
>
> What sort of "attacker" do you have in mind?  Who has access to the network?
>
> If someone has unauthorized access to your network, there are much easier
> avenues to steal other people's traffic, like MAC address / ARP spoofing 
> attacks.  To protect against *this* scenario, about the only thing really
> effective is 802.1x authentication on *all* LAN ports.
>
> gert
>