[f-nsp] Securing VRRP/VRRP-E?

Niels Bakker niels=foundry-nsp at bakker.net
Wed Apr 7 18:28:09 EDT 2004


* devon at noved.org (Devon) [Thu 08 Apr 2004, 00:05 CEST]:
[vrrp]
> It looks like Juniper has MD5 authentication.

Indeed, you're right:

---
[edit interfaces fe-0/0/1 unit 0 family inet address 192.168.1.3/24 vrrp-group 123]
niels at junix# set authentication-type ?   
Possible completions:
  md5                  HMAC-MD5-96
  simple               Simple password
---

Too bad the Cisco this particular Juniper is talking VRRP with doesn't
support it! ;)

---
Rtr1(config-if)#vrrp 123 auth ?
  text  TEXT authentication
---


> I'll ping our sales rep, but I am curious to know if anyone has thought 
> about this issue and if anyone has taken steps to limit their exposure.

If you want to keep collocated customers from participating in your VRRP
setup you could use port security to lock them down to one MAC address,
keeping them from sourcing ARP replies from the virtual address.
Doesn't address the normal insecurity of ARP, though, but neither would
supporting better crypto in VRRP...

I agree that a statement from Foundry whether this will be supported
would be nice to see on this list.

To answer your question, I'm not running VRRP on Ethernets with
untrusted machines, so the risk exposure here is limited.  Unused switch
ports are disabled or in the default (non-production) VLAN.


	-- Niels.

-- 



More information about the foundry-nsp mailing list