No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

VRRP IPv6 authentication

Publication Date:  2017-09-05 Views:  494 Downloads:  0
Issue Description

The customer could not configure IPv6 authentication in a network where there is already a VRRP running for IPv4.

The customer typed the command below followed by question mark and noticed there are no paramenters for authentication of VRRP6.

[CE12800]vrrp6 vrid 2 ?

  admin         Specify the administrator VRRP6

  join          Join to load-balance VRRP

  load-balance  Specify load balance mode

  preempt       Specify preempt mode

  priority      Specify priority

  timer         Specify timer

  track         Specify track configuration

  virtual-ip    Specify a virtual IP address

  <cr>      

After searching the documentation and thinking that IPv6 already have the Authentication Header included in the IP packet, so it's more secure than IPv4, checked the IANA webside for RFC5798. There I found that actually the VRRP has removed any type of authentication for both IPv4 and IPv6 later versions. Only IPv4 early versions still support it.


Solution

Security Considerations:

VRRP for IPvX does not currently include any type of authentication. Earlier versions of the VRRP (for IPv4) specification included several types of authentication ranging from none to strong. Operational experience and further analysis determined that these did not provide sufficient security to overcome the vulnerability of misconfigured secrets, causing multiple Masters to be elected. Due to the nature of the VRRP protocol, even if VRRP messages are cryptographically protected, it does not prevent hostile nodes from behaving as if they are a VRRP Master, creating multiple Masters. Authentication of VRRP messages could have prevented a hostile node from causing all properly functioning routers from going into Backup state. However, having multiple Masters can cause as much disruption as no routers, which authentication cannot prevent. Also, even if a hostile node could not disrupt VRRP, it can disrupt ARP and create the same effect as having all routers go into Backup.

Source: https://tools.ietf.org/html/rfc5798#section-9

END