[f-nsp] Securing VRRP/VRRP-E?
Devon
devon at noved.org
Wed Apr 7 18:05:35 EDT 2004
Niels,
> Although it seems like a better thing than simple authentication to
> use on networks with untrusted hosts on it, I'm unaware of any vendor
> implementing this...
It looks like Juniper has MD5 authentication.
<http://www.juniper.net/techpubs/software/junos/junos56/swconfig56-interfaces/html/interfaces-ethernet-config25.html>
----------
"authentication can be none, simple, or md5. The authentication type
must be the same for all routers in the VRRP group."
----------
However, I don't see the same option for Cisco.
<http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a00801a7ec3.html#wp1079676>
----------
"When a VRRP packet arrives from another router in the VRRP group, its
authentication string is compared to the string configured on the local
system. If the strings match, the message is accepted. If they do not
match, the packet is discarded.
All routers within the group must be configured with the same
authentication string.
Note that plain text authentication is not meant to be used for
security. It simply provides a way to prevent a misconfigured router
from participating in VRRP. "
----------
I would like to see Foundry use some form of stronger authentication
than plain-text. Has no one else complained about the lack of security?
Or is this something we just "deal with"? Any Foundry people willing to
talk about it?
I'll ping our sales rep, but I am curious to know if anyone has thought
about this issue and if anyone has taken steps to limit their exposure.
Devon
More information about the foundry-nsp
mailing list