In message <200105031757.TAA05508at_private>, bashis writes: >--%--multipart-mixed-boundary-1.5498.988912661--% >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit > >Hi > >I was playing with Cisco's HSRP (Hot Standby Routing Protocol), >and there is a (major) weakness in that protocol that allow >any host in a LAN segment to make a HSRP DoS. > >Short (very) explain of HSRP. >HSRP uses UDP on port 1985 to multicast address 224.0.0.2, >and the authentication is in clear text. (default: cisco) > >I include a small program that sends out a fake HSRP packet, >when it hear a legal HSRP packet, as a "proof of concept" code... > >Vendor was notified about this 14 April 2001,, >and their response was to use HSRP with IPSec. >http://www.cisco.com/networkers/nw00/pres/2402.pdf > Their response was precisely correct. Given the evils that can be done with ARP-spoofing, this sort of misbehavior by someone already on the LAN can't easily be prevented. More generally, have a look at RFC 2338, on VRRP -- the Virtual Router Redundancy Protocol. VRRP is the standards-track replacement for HSRP. The Security Considerations section explains when to use each type of authentication, up to and including IPsec. Cisco's real mistake is in having a common default authentication word -- not because it's a security failure, but because it can no longer fulfill its function of guarding against configuration errors. --Steve Bellovin, http://www.research.att.com/~smb
This archive was generated by hypermail 2b30 : Thu May 03 2001 - 23:16:37 PDT