3.2.2 Ensure authentication-type is set to MD5

Information

Any VRRP authentication should use MD5 HMAC

Rationale:

VRRP provides resilience for a routers interfaces, allowing another router to act as backup in the event of a partial or complete failure of the primary router and increasing the availability network resources as well as resilience to DoS attack.

Routers configured to share a Virtual IP Address using VRRP communicate their status to their peer on a regular basis using a multicast packet, allowing a Master for the VIP to be elected. It is the Master that deals with packets destined for the VIP address.

If no authentication is used an attacker could potentially disrupt the VRRP Master Election process, causing neither router to handle packets destined for the VIP and resulting a DoS.

VRRP supports simple authentication and MD5. Simple authentication transmits the password in plain text so should not be used. MD5 authentication uses a Keyed Hash Authentication Message Code (HMAC), a techniques which uses a key combined with a cryptographic hash algorithm to verify the authenticity and integrity of the received packet.

Solution

If you have configured VRRP on one or more interfaces you can configure authentication using MD5-HMAC with the following commands from the [edit interfaces <interface name> unit <unit number> family inet address <ip address>] hierarchy;

[edit interfaces <interface name> unit <unit number> family inet address <ip address>]
user@host#set vrrp-group <group number> authentication-type md5

Default Value:

VRRP authentication is not enabled by default

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|16.4

Plugin: Juniper

Control ID: 48727cb59e4be881c4d84227c8bee5b93a387207177effd9b33b46506094a736