3.2.1 Ensure VRRP authentication-key is set

Information

VRRP authentication should be used where other security mechanisms are not in place.

Rationale:

VRRP provides resilience for a routers interfaces, allowing another router to act as backup in the event of a partial or complete failure of the primary router and increasing the availability network resources as well as resilience to DoS attack.

Routers configured to share a Virtual IP Address using VRRP communicate their status to their peer on a regular basis using a multicast packet, allowing a Master for the VIP to be elected. It is the Master that deals with packets destined for the VIP address.

If no authentication is used an attacker could potentially disrupt the VRRP Master Election process, causing neither router to handle packets destined for the VIP and resulting a DoS.

An authentication key can be configured for all VRRP Groups used on the device to help protect against this.

Solution

If you have configured VRRP on one or more interfaces you should configure authentication using the following commands from the [edit interfaces <interface name> unit <unit number> family inet address <ip address>] hierarchy;

[edit interfaces '<interface name> unit <unit number> family inet address <ip address>']
user@host#set vrrp-group <group number> authentication-key <key>

Default Value:

VRRP is not configured by default

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: ec5133d19a8fd4e0dac34a20573165b7840ace59d49f7b50327b74c73e0cc37f