19 Dec 2008 15:54
Re: Problem in VRRP Auth String.
Stephen Nadas <stephen.nadas <at> ericsson.com>
2008-12-19 14:54:08 GMT
2008-12-19 14:54:08 GMT
Ashok,
this kind of question is best addressed to VRRP email
list, which I have now copied
Steve
From: ashok meti [mailto:meti_it2004 <at> yahoo.com]
Sent: Friday, December 19, 2008 2:32 AM
To: Stephen Nadas
Subject: Problem in VRRP Auth String.
Sent: Friday, December 19, 2008 2:32 AM
To: Stephen Nadas
Subject: Problem in VRRP Auth String.
hi
Setup,
On Routers i have VRRP with IPV4.
Configured VRRP on Router 1 with auth type 1 and password="ashok"
Configured VRRP on Router 2 with auth type 2 and password="timothy".
my question is "Since password/auth string is different for 2 routers in Virtual router group should it not discard pkts??"
But still the above scenario is behaving normally.
-Ashok
Setup,
On Routers i have VRRP with IPV4.
Configured VRRP on Router 1 with auth type 1 and password="ashok"
Configured VRRP on Router 2 with auth type 2 and password="timothy".
my question is "Since password/auth string is different for 2 routers in Virtual router group should it not discard pkts??"
But still the above scenario is behaving normally.
-Ashok
From: Stephen Nadas
<stephen.nadas <at> ericsson.com>
To: ashok meti <meti_it2004 <at> yahoo.com>
Sent: Thursday, December 11, 2008 9:17:53 PM
Subject: RE: [VRRP] DISCUSS: draft-ietf-vrrp-unified-spec
DIV { MARGIN: 0px }
To: ashok meti <meti_it2004 <at> yahoo.com>
Sent: Thursday, December 11, 2008 9:17:53 PM
Subject: RE: [VRRP] DISCUSS: draft-ietf-vrrp-unified-spec
DIV { MARGIN: 0px }
Ashok,
I don't have any code that I can give you. I suggest
that you do a web search and perhaps there find what you need.
Regards,
Steve
From: ashok meti [mailto:meti_it2004 <at> yahoo.com]
Sent: Wednesday, December 10, 2008 9:48 PM
To: Stephen Nadas
Subject: Re: [VRRP] DISCUSS: draft-ietf-vrrp-unified-spec
Sent: Wednesday, December 10, 2008 9:48 PM
To: Stephen Nadas
Subject: Re: [VRRP] DISCUSS: draft-ietf-vrrp-unified-spec
Good Morning stephen,
Thanks for quick reply...
The code which i got doesn't support authentication. I have modified to support simple authentication.
can i get current version of VRRP daemon code?
-Ashok
Thanks for quick reply...
The code which i got doesn't support authentication. I have modified to support simple authentication.
can i get current version of VRRP daemon code?
-Ashok
From: Stephen Nadas
<stephen.nadas <at> ericsson.com>
To: ashok meti <meti_it2004 <at> yahoo.com>
Sent: Wednesday, December 10, 2008 6:58:47 PM
Subject: RE: [VRRP] DISCUSS: draft-ietf-vrrp-unified-spec
DIV { MARGIN: 0px }
To: ashok meti <meti_it2004 <at> yahoo.com>
Sent: Wednesday, December 10, 2008 6:58:47 PM
Subject: RE: [VRRP] DISCUSS: draft-ietf-vrrp-unified-spec
DIV { MARGIN: 0px }
Hi Ashok,
I think the wikopedia article on VRRP can lead you in this
direction.
Regards,
Steve
From: ashok meti [mailto:meti_it2004 <at> yahoo.com]
Sent: Wednesday, December 10, 2008 4:36 AM
To: Stephen Nadas
Subject: Re: [VRRP] DISCUSS: draft-ietf-vrrp-unified-spec
Sent: Wednesday, December 10, 2008 4:36 AM
To: Stephen Nadas
Subject: Re: [VRRP] DISCUSS: draft-ietf-vrrp-unified-spec
Hello,
can i get the opensource code for VRRP with IPV4???
Please let me know the location!!!!!!!
Thank u
-Ashok
can i get the opensource code for VRRP with IPV4???
Please let me know the location!!!!!!!
Thank u
-Ashok
From: Stephen Nadas
<stephen.nadas <at> ericsson.com>
To: Pasi Eronen <pasi.eronen <at> nokia.com>; iesg <at> ietf.org
Cc: vrrp-chairs <at> tools.ietf.org; draft-ietf-vrrp-unified-spec <at> tools.ietf.org; vrrp <at> ietf.org
Sent: Thursday, November 6, 2008 10:25:23 PM
Subject: Re: [VRRP] DISCUSS: draft-ietf-vrrp-unified-spec
Hi Pasi,
Thank you for the feedback. Putting to VRRP list for WG feedback.
Regards,
Steve
> -----Original Message-----
> From: Pasi Eronen [mailto:pasi.eronen <at> nokia.com]
> Sent: Thursday, November 06, 2008 11:41
> To: iesg <at> ietf.org
> Cc: vrrp-chairs <at> tools.ietf.org;
> draft-ietf-vrrp-unified-spec <at> tools.ietf.org
> Subject: DISCUSS: draft-ietf-vrrp-unified-spec
>
> Discuss:
> I have reviewed draft-ietf-vrrp-unified-spec-02. Overall, the
> document looks good, but I have the following concerns that
> I'd like to discuss before recommending approval of the document:
>
> The security considerations text basically says security
> doesn't have to be considered here because an attacker can
> cause havoc with ARP anyway. I don't think this is fully
> accurate description. Many networks with untrusted hosts use
> switch security features that prevent hosts from bringing
> down the network with spoofed ARP packets (somewhat similar
> to what SAVI WG is working on). While compromising one of the
> switches or routers would still cause damage, compromised or
> malicious ordinary hosts (attached to switch ports where
> these features are enabled) can't do that much.
>
> The other reason for removing cryptographic authentication of
> VRRP messages is said to be misconfigured secrets (which
> obviously does cause problems -- but on the other hand, this
> situation should be detected very quickly). If it's indeed
> the case that cryptographic per-message authentication isn't
> a good solution to securing VRRP, at the very least the
> document should discuss other possible mechanisms.
> Perhaps e.g. filtering mechanisms in switches, configured on
> per-port basis, could provide some protection? Or could this
> somehow leverage the existing mechanisms for ARP?
>
>
> An additional question about Section 7.4: I'm slightly
> confused by the text here -- does every router create its own
> link-local address (in which case failover is visible to
> hosts in this subnet), or do they share the same link-local
> address? The 1st paragraph says "They MUST NOT use the
> Virtual Router MAC address to create the Modified EUI-64
> identifiers", but the 3rd paragraph talks about "using the
> VRRP MAC in the formation of these link local addresses" --
> are these contradicting each other, or am I just
> misunderstanding how this works?
>
>
>
_______________________________________________
vrrp mailing list
vrrp <at> ietf.org
https://www.ietf.org/mailman/listinfo/vrrp
To: Pasi Eronen <pasi.eronen <at> nokia.com>; iesg <at> ietf.org
Cc: vrrp-chairs <at> tools.ietf.org; draft-ietf-vrrp-unified-spec <at> tools.ietf.org; vrrp <at> ietf.org
Sent: Thursday, November 6, 2008 10:25:23 PM
Subject: Re: [VRRP] DISCUSS: draft-ietf-vrrp-unified-spec
Hi Pasi,
Thank you for the feedback. Putting to VRRP list for WG feedback.
Regards,
Steve
> -----Original Message-----
> From: Pasi Eronen [mailto:pasi.eronen <at> nokia.com]
> Sent: Thursday, November 06, 2008 11:41
> To: iesg <at> ietf.org
> Cc: vrrp-chairs <at> tools.ietf.org;
> draft-ietf-vrrp-unified-spec <at> tools.ietf.org
> Subject: DISCUSS: draft-ietf-vrrp-unified-spec
>
> Discuss:
> I have reviewed draft-ietf-vrrp-unified-spec-02. Overall, the
> document looks good, but I have the following concerns that
> I'd like to discuss before recommending approval of the document:
>
> The security considerations text basically says security
> doesn't have to be considered here because an attacker can
> cause havoc with ARP anyway. I don't think this is fully
> accurate description. Many networks with untrusted hosts use
> switch security features that prevent hosts from bringing
> down the network with spoofed ARP packets (somewhat similar
> to what SAVI WG is working on). While compromising one of the
> switches or routers would still cause damage, compromised or
> malicious ordinary hosts (attached to switch ports where
> these features are enabled) can't do that much.
>
> The other reason for removing cryptographic authentication of
> VRRP messages is said to be misconfigured secrets (which
> obviously does cause problems -- but on the other hand, this
> situation should be detected very quickly). If it's indeed
> the case that cryptographic per-message authentication isn't
> a good solution to securing VRRP, at the very least the
> document should discuss other possible mechanisms.
> Perhaps e.g. filtering mechanisms in switches, configured on
> per-port basis, could provide some protection? Or could this
> somehow leverage the existing mechanisms for ARP?
>
>
> An additional question about Section 7.4: I'm slightly
> confused by the text here -- does every router create its own
> link-local address (in which case failover is visible to
> hosts in this subnet), or do they share the same link-local
> address? The 1st paragraph says "They MUST NOT use the
> Virtual Router MAC address to create the Modified EUI-64
> identifiers", but the 3rd paragraph talks about "using the
> VRRP MAC in the formation of these link local addresses" --
> are these contradicting each other, or am I just
> misunderstanding how this works?
>
>
>
_______________________________________________
vrrp mailing list
vrrp <at> ietf.org
https://www.ietf.org/mailman/listinfo/vrrp
_______________________________________________ vrrp mailing list vrrp <at> ietf.org https://www.ietf.org/mailman/listinfo/vrrp
RSS Feed