Security

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Why VRRP authentication for IPv6 is not supported?

  • 1.  Why VRRP authentication for IPv6 is not supported?

    Posted 09-13-2021 05:23
    Dear All,

    When configurating VRRP authentication for IPv6, I received message: 'authentication-type' statement can be included only for interfaces of type 'family inet'
    Why VRRP authentication for IPv6 is not supported?
    How to secure for VRRP IPv6?

    Thanks,

    Ket, Vo Van.

    ------------------------------
    KET VO
    ------------------------------


  • 2.  RE: Why VRRP authentication for IPv6 is not supported?

    Posted 09-13-2021 09:20
    Authentication on First Hop Redundancy Protocols (FHRP) is not really protecting much, if you really think about it.

    When you place a gateway pair in a segment the expectation is that these gateways announce themselves in the LAN via the regular means of communication (IPv4: ARP - solicited, GARP - unsolicited; IPv6: Neighbor Discovery) and a vIP and a vMAC is shared between these gateways, electing a single device as the active forwarder. In order to keep track of the state of the gateways in the segment VRRP messages are sent in the LAN segment in order to keep the Master/Backup state fresh at the control plane level, so that if the Master gateway fails, the Backup gateway could take over the role of the Master, if necessary.

    Even if the control plane messages in VRRP could be authenticated (and/or encrypted) between the Master and Backup nodes, the question is: What prevents an illegitimate node from being connected to the LAN segment and announce itself as the gateway for the LAN taking over the role of the active gateway? Certainly nothing, as this action does not require any VRRP messages at the control plane level, but rather a simple Gratuitous ARP or IPv6 ND messages announcing the illegitimate host as the active gateway for the segment.

    Now that you see this rationale, what is the point of having authentication for VRRPv4/6? Even though earlier versions of the protocol supported it, it is not a requirement and it does not really matter to have such feature in FHRP's.

    You can refer to the following RFC for further information, https://datatracker.ietf.org/doc/html/rfc5798#section-9.

    Hope that helps,

    Elvin


  • 3.  RE: Why VRRP authentication for IPv6 is not supported?

    Posted 09-13-2021 12:11
    Hi Elvin,

    Thanks for your useful information.

    Best Regards,
    Ket, Vo Van.

    ------------------------------
    KET VO
    ------------------------------



  • 4.  RE: Why VRRP authentication for IPv6 is not supported?

    Posted 09-13-2021 14:57
    You are welcome!

    Elvin