Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
798
Views
0
Helpful
2
Replies

Gateway load balancing protocols - possible misuses

Go to solution
tomas.kanocz
Level 1
Level 1

‎10-14-2011 01:58 PM - edited ‎03-04-2019 01:56 PM

Hi everyone!

I had some brainstorming today at work regarding gateway load balancing protocols and was thinking about authentication. The fist thing that I could think of is what would happen if some rogue switch/router was added to our network (or lets say misconfigured device), that would use the same virtual IP, as the master already used as the real gateway. It is fine, that if I do not use the same password as the already running one, we will not be able to speak to each other, and comunicate via lets say HSRP. But nothing stops that router from having the same virtual IP address, and thanks to the different passwords, it has no chance of knowing that somebody else is master already for that network. So in this case both of the router/MLSes will probably respond to ARP queries regarding the gateway, and some nasty MAC address flaping can ocure on the switches in the network. Is there any way how to solve it, other than to have full control over your network and not allowing this kind of missconfiguration or attack?

Tom

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎10-14-2011 02:01 PM

Have you run a real network before? Seems to me you're worring too much.

View solution in original post

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎10-14-2011 02:11 PM

Hi Tomas,

For sure, the authentication in FHRP protocols brings little value. VRRP RFCs 3768 Section 10, and 5798 Section 9 put it quite nicely - there is no point in doing authentication in these protocols. It does not really increase the security.

With the ability of any station to come with a conflicting IP or MAC, the only reasonable solution I can see is having a full control, optionally utilizing mechanisms like DAI or IPSG to prevent stations from doing inappropriate things to their IP/MAC identity.

Best regards,

Peter

View solution in original post

0 Helpful
2 Replies 2

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎10-14-2011 02:01 PM

Have you run a real network before? Seems to me you're worring too much.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎10-14-2011 02:11 PM

Hi Tomas,

For sure, the authentication in FHRP protocols brings little value. VRRP RFCs 3768 Section 10, and 5798 Section 9 put it quite nicely - there is no point in doing authentication in these protocols. It does not really increase the security.

With the ability of any station to come with a conflicting IP or MAC, the only reasonable solution I can see is having a full control, optionally utilizing mechanisms like DAI or IPSG to prevent stations from doing inappropriate things to their IP/MAC identity.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card