Authentication on First Hop Redundancy Protocols (FHRP) is not really protecting much, if you really think about it.
When you place a gateway pair in a segment the expectation is that these gateways announce themselves in the LAN via the regular means of communication (IPv4: ARP - solicited, GARP - unsolicited; IPv6: Neighbor Discovery) and a vIP and a vMAC is shared between these gateways, electing a single device as the active forwarder. In order to keep track of the state of the gateways in the segment VRRP messages are sent in the LAN segment in order to keep the Master/Backup state fresh at the control plane level, so that if the Master gateway fails, the Backup gateway could take over the role of the Master, if necessary.
Even if the control plane messages in VRRP could be authenticated (and/or encrypted) between the Master and Backup nodes, the question is: What prevents an illegitimate node from being connected to the LAN segment and announce itself as the gateway for the LAN taking over the role of the active gateway? Certainly nothing, as this action does not require any VRRP messages at the control plane level, but rather a simple Gratuitous ARP or IPv6 ND messages announcing the illegitimate host as the active gateway for the segment.
Now that you see this rationale, what is the point of having authentication for VRRPv4/6? Even though earlier versions of the protocol supported it, it is not a requirement and it does not really matter to have such feature in FHRP's.
You can refer to the following RFC for further information,
https://datatracker.ietf.org/doc/html/rfc5798#section-9.Hope that helps,
Elvin
Original Message:
Sent: 09-12-2021 23:00
From: KET VO
Subject: Why VRRP authentication for IPv6 is not supported?
Dear All,
When configurating VRRP authentication for IPv6, I received message: 'authentication-type' statement can be included only for interfaces of type 'family inet'
Why VRRP authentication for IPv6 is not supported?
How to secure for VRRP IPv6?
Thanks,
Ket, Vo Van.
------------------------------
KET VO
------------------------------