Details

Any VRRP authentication should use MD5 HMAC

Rationale:

VRRP provides resilience for a routers interfaces, allowing another router to act as backup in the event of a partial or complete failure of the primary router and increasing the availability network resources as well as resilience to DoS attack.

Routers configured to share a Virtual IP Address using VRRP communicate their status to their peer on a regular basis using a multicast packet, allowing a Master for the VIP to be elected. It is the Master that deals with packets destined for the VIP address.

If no authentication is used an attacker could potentially disrupt the VRRP Master Election process, causing neither router to handle packets destined for the VIP and resulting a DoS.

VRRP supports simple authentication and MD5. Simple authentication transmits the password in plain text so should not be used. MD5 authentication uses a Keyed Hash Authentication Message Code (HMAC), a techniques which uses a key combined with a cryptographic hash algorithm to verify the authenticity and integrity of the received packet.

Solution

If you have configured VRRP on one or more interfaces you can configure authentication using MD5-HMAC with the following commands from the [edit interfaces unit family inet address ] hierarchy;

[edit interfaces unit family inet address ]
[email protected]#set vrrp-group authentication-type md5

Default Value:

VRRP authentication is not enabled by default

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3069

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Juniper.

References

• 800-53|IA-5
• 800-53|IA-5(1)
• CSCv7|16.4

Source

• Tenable.com/audits