[f-nsp] Securing VRRP/VRRP-E?
Devon
devon at noved.org
Tue Apr 6 17:12:46 EDT 2004
All:
Anyone know if Foundry is looking at securing VRRP/VRRP-E on their
boxes? I looked at RFC2338 and there is an additional authentication
type that I don't see as an option.
----------
10.3 IP Authentication Header
The use of this authentication type means the VRRP protocol exchanges
are authenticated using the mechanisms defined by the IP
Authentication Header [AUTH] using "The Use of HMAC-MD5-96 within ESP
and AH", [HMAC]. This provides strong protection against
configuration errors, replay attacks, and packet
corruption/modification.
This type of authentication is RECOMMENDED when there is limited
control over the administration of nodes on a LAN. While this type
of authentication does protect the operation of VRRP, there are other
types of attacks that may be employed on shared media links (e.g.,
generation of bogus ARP replies) which are independent from VRRP and
are not protected.
----------
ssh at Foundry(config-vif-69)#ip vrrp-e auth
no-auth No authentication
simple-text-auth Simple text authentication
ssh at Foundry(config-vif-69)#ip vrrp auth
no-auth No authentication
simple-text-auth Simple text authentication
----------
Devon
More information about the foundry-nsp
mailing list