From: Wouter Prins (wp@null0.nl)
Date: Sat Jan 03 2009 - 16:51:05 ARST
Hi Scott :-)
2009/1/3 Scott Vermillion <scott_ccie_list@it-ag.com>
> Hi Wouter,
>
> We get so caught up in Cisco documentation and vendor training material, we
> sometimes forget about RFCs!
yes, or other topics ;)
>
>
> In answer to question one, from RFC 3768:
>
> "7.3. Virtual Router MAC Address
>
> The virtual router MAC address associated with a virtual router is an IEEE
> 802 MAC Address in the following format:
>
> 00-00-5E-00-01-{VRID} (in hex in internet standard bit-order)
>
> The first three octets are derived from the IANA's OUI. The next two
> octets
> (00-01) indicate the address block assigned to the VRRP protocol. {VRID}
> is
> the VRRP Virtual Router Identifier. This mapping provides for up to 255
> VRRP routers on a network."
Why did they pick the unicast OUI range for VRRP and not the multicast OUI
range (its a multicast ip address)? See
http://www.iana.org/assignments/ethernet-numbers it might be me but i still
dont understand it somehow? :)
In answer to question 2, it's a security feature:
>
> "Independent of any authentication type VRRP includes a mechanism (setting
> TTL=255, checking on receipt) that protects against VRRP packets being
> injected from another remote network. This limits most vulnerabilities to
> local attacks."
>
> What this is saying is that if VRRP routers were to merely validate that
> TTL
> was "1" inbound, then somebody n hops away could initialize TTL such that
> it
> was 1 inbound when it reached the target of the attack. Whereas if VRRP
> routers are configured to look for "255" inbound, then an attacker would
> somehow have to figure out how to get intermediate routers to not decrement
> TTL, which seems fairly unlikely!
>
Thanks, i couldnt see the reason behind the use of the TTL of 255, but with
this explanation i do. :)
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:36 ARST