Reset Search
 

 

Article

Why is there no authentication in VRRP version 3 / VRRPv3?

« Go Back

Information

 
TitleWhy is there no authentication in VRRP version 3 / VRRPv3?
Question
Why is there no authentication in VRRP version 3 / VRRPv3?
Environment
  • S-Series
  • K-Series
  • N-Series
  • All firmware
Answer
VRRP Authentication was removed from V2a and V3 per the IETF:

From RFC 5798 (https://tools.ietf.org/html/rfc5798):

9. Security Considerations 

VRRP for IPvX does not currently include any type of authentication. Earlier versions of the VRRP (for IPv4) specification included several types of authentication ranging from none to strong. Operational experience and further analysis determined that these did not provide sufficient security to overcome the vulnerability of misconfigured secrets, causing multiple Masters to be elected. Due to the nature of the VRRP protocol, even if VRRP messages are cryptographically protected, it does not prevent hostile nodes from behaving as if they are a VRRP Master, creating multiple Masters. Authentication of VRRP messages could have prevented a hostile node from causing all properly functioning routers from going into Backup state. However, having multiple Masters can cause as much disruption as no routers, which authentication cannot prevent. Also, even if a hostile node could not disrupt VRRP, it can disrupt ARP and create the same effect as having all routers go into Backup.
Additional notes
To secure VRRP itself, Policy would be needed on all user ports that would Deny Destination IP 224.0.0.18/32.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255