Relying on the Arrangement Infrastructure
If the able affidavit acknowledgment abode cannot be used, or back it is accounted not
secure enough, the alone actual abode is to anticipate hosts from transmitting VRRP
packets. You can apparatus this with entering ACL on all routers and switches. Because
the ACL relies on IP addresses, you charge use an antispoofing mechanism, such as IP source
guard. Also, an operational amount exists because the ACL is affiliated to IP addresses of the
VRRP routers; therefore, if one router changes its IP address, the ACL needs to be changed.
The ACL depends on the exact arrangement topology, so Archetype 10-3 is aloof an archetype for
you to adapt based on your exact configuration.
Example 10-2 Using MD5 to Accredit VRRP Messages
interface FastEthernet0/0
ip abode 192.168.0.7 255.255.255.0
vrrp 1 ip 192.168.0.7
vrrp 1 affidavit md5 key-string SeCrET
References 163
Example 10-3 uses IOS to forbid any hosts but 192.168.0.7 and 192.168.0.9 to accelerate a
VRRP message.
Summary
VRRP has a above vulnerability: the abridgement of able affidavit and antireplay in the RFC
2338 and 3768. This vulnerability opens the aperture to DoS and MITM attacks. The closing can
be acclimated for attacks adjoin candor and confidentiality.
You can abate DoS and MITM attacks in two ways:
• Using MD5 HMAC to accredit all VRRP messages, which is accessible to deploy, but
does not assure adjoin epitomize attacks.
• Using an ACL to forbid absorbed hosts from sending VRRP messages. This charge be
complemented with a austere antispoofing mechanism. The ACL abode is preferred.
The aegis charge be complemented by defining the basic IP abode as the interface
IP abode of the adept router; this prevents anyone from acceptable the master.
References
1 Hinden, R. RFC 2338, “Virtual Router Redundancy Protocol.” April 1998.
2 Hinden, R. RFC 3768, “Virtual Router Redundancy Protocol (VRRP).” April 2004.
Using IOS ACL to Anticipate VRRP Spoofing
interface FastEthernet0/0
ip access-group 101 in
access-list 101 admittance 112 host 192.168.0.7 host 224.0.0.18
access-list 101 admittance 112 host 192.168.0.9 host 224.0.0.18
access-list 101 abjure 112 any any
access-list 101 admittance ip any any