cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
692
Views
0
Helpful
2
Replies

Gateway load balancing protocols - possible misuses

tomas.kanocz
Level 1
Level 1

Hi everyone!

I had some brainstorming today at work regarding gateway load balancing protocols and was thinking about authentication. The fist thing that I could think of is what would happen if some rogue switch/router was added to our network (or lets say misconfigured device), that would use the same virtual IP, as the master already used as the real gateway. It is fine, that if I do not use the same password as the already running one, we will not be able to speak to each other, and comunicate via lets say HSRP. But nothing stops that router from having the same virtual IP address, and thanks to the different passwords, it has no chance of knowing that somebody else is master already for that network. So in this case both of the router/MLSes will probably respond to ARP queries regarding the gateway, and some nasty MAC address flaping can ocure on the switches in the network. Is there any way how to solve it, other than to have full control over your network and not allowing this kind of missconfiguration or attack?

Tom

2 Accepted Solutions

Accepted Solutions

paolo bevilacqua
Hall of Fame
Hall of Fame

Have you run a real network before? Seems to me you're worring too much.

View solution in original post

Peter Paluch
Cisco Employee
Cisco Employee

Hi Tomas,

For sure, the authentication in FHRP protocols brings little value. VRRP RFCs 3768 Section 10, and 5798 Section 9 put it quite nicely - there is no point in doing authentication in these protocols. It does not really increase the security.

With the ability of any station to come with a conflicting IP or MAC, the only reasonable solution I can see is having a full control, optionally utilizing mechanisms like DAI or IPSG to prevent stations from doing inappropriate things to their IP/MAC identity.

Best regards,

Peter

View solution in original post

2 Replies 2

paolo bevilacqua
Hall of Fame
Hall of Fame

Have you run a real network before? Seems to me you're worring too much.

Peter Paluch
Cisco Employee
Cisco Employee

Hi Tomas,

For sure, the authentication in FHRP protocols brings little value. VRRP RFCs 3768 Section 10, and 5798 Section 9 put it quite nicely - there is no point in doing authentication in these protocols. It does not really increase the security.

With the ability of any station to come with a conflicting IP or MAC, the only reasonable solution I can see is having a full control, optionally utilizing mechanisms like DAI or IPSG to prevent stations from doing inappropriate things to their IP/MAC identity.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco