Community discussions

MikroTik App
 
mhviper
newbie
Topic Author
Posts: 36
Joined: Wed Sep 25, 2013 4:59 am

VRRP ipv6 vlan/crossover

Tue Apr 11, 2017 4:30 pm

Hello,

as vrrp version 3 dropped the AH feature I am thinking about doing vrrp traffic on an crossover link or management vlan.

My config is the following:
router1:
/interface vrrp
add interface=ether1 name=default_ipv6 v3-protocol=ipv6 version=3 vrid=102 priority=90 
/ipv6 address
add address=2001:xxx:xxx:6::2 interface=toCore 
add address=2001:xxx:xxx:6::1 interface=default_ipv6 
router2:
/interface vrrp
add interface=ether1 name=default_ipv6 v3-protocol=ipv6 version=3 vrid=102 priority=100 
/ipv6 address
add address=2001:xxx:xxx:6::3 interface=toCore
add address=2001:xxx:xxx:6::1 interface=default_ipv6
ether1 is a private crosslink between router1 and router2. toCore is a trunk to the public accessible network.

The vrrp interface comes up without problem and i can change the master by adjusting the priority.
The ipv6 gateway address comes up and could be reached until I change the master. As soon as I change the master the gateway ip address is no longer reachable until I switch back to the old master. My guess is that the vrrp daemon sends out the arp "flush" on the ether1 link and not on the "toCore" link?!

As soon as i switch the vrrp interface to "toCore" everything works fine so I guess I am not doing the right thing?!

Regards,
Michael
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: VRRP ipv6 vlan/crossover

Tue Apr 11, 2017 7:16 pm

ND caching not ARP. Make sure you aren't filtering any ICMPv6 messages between the 2 VRRP devices and sourced by the VRRP routers.
 
mhviper
newbie
Topic Author
Posts: 36
Joined: Wed Sep 25, 2013 4:59 am

Re: VRRP ipv6 vlan/crossover

Tue Apr 11, 2017 8:06 pm

Hi,

thanks for your reply. No filters are applied for icmpv6 or vrrp. Vrrp itself is working as intended, both routers see each other and vrrp master changes as soon as priority is changed.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: VRRP ipv6 vlan/crossover

Tue Apr 11, 2017 8:35 pm

Just re-read this ... Why aren't the ::2 / ::3 IPs on ether1 or the VRRP interface on the toCore links?

I'm guessing by default (can't verify atm) you have a /64 configured in 2 broadcast domains. When VRRP changes the ND update is sent out ether1 where there is no one to hear it that cares.
 
mhviper
newbie
Topic Author
Posts: 36
Joined: Wed Sep 25, 2013 4:59 am

Re: VRRP ipv6 vlan/crossover

Tue Apr 11, 2017 10:18 pm

Hi,

thanks for your answer.

It's my intension to run the vrrp Multicast Traffic on ether1 (direct Connection between router1 and router2) and get the virtual Gateway address assigned on toCore in order to avoid that the vrrp Traffic gets exposed to the whole lan.

When I assign the :2 and :3 to the "toCore" trunk everything is working perfect but every Host in the lan can see the multicast vrrp traffic and simply takeover or interrupt the vrrp setup.

Your conclusion with the splitted network is exactly what i believe is happening but I wonder what others do to avoid that ipv6 vrrp Traffic could easily be hijacked inside the network.
 
troffasky
Member
Member
Posts: 436
Joined: Wed Mar 26, 2014 4:37 pm

Re: VRRP ipv6 vlan/crossover

Wed Apr 12, 2017 12:40 am

Bit of a long shot....
Bridge your "crossover" link with your LAN uplink on each router. This is the long shot bit...can you apply a filter to just the LAN uplink that would block VRRP on that interface?
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: VRRP ipv6 vlan/crossover

Wed Apr 12, 2017 1:41 am

Basically, add layer 2 security to lock down not only VRRP but also RAs from non-routers much like we would do with DHCP Snooping and ARP protections.

Here is the line from RFC 5798, VRRPv3, that basically says the same thing:
9. Security Considerations

VRRP for IPvX does not currently include any type of authentication.
Earlier versions of the VRRP (for IPv4) specification included
several types of authentication ranging from none to strong.
Operational experience and further analysis determined that these did
not provide sufficient security to overcome the vulnerability of
misconfigured secrets, causing multiple Masters to be elected. Due
to the nature of the VRRP protocol, even if VRRP messages are
cryptographically protected, it does not prevent hostile nodes from
behaving as if they are a VRRP Master, creating multiple Masters.
Authentication of VRRP messages could have prevented a hostile node
from causing all properly functioning routers from going into Backup
state. However, having multiple Masters can cause as much disruption
as no routers, which authentication cannot prevent. Also, even if a
hostile node could not disrupt VRRP, it can disrupt ARP and create
the same effect as having all routers go into Backup.

Some L2 switches provide the capability to filter out, for example,
ARP and/or ND messages from end-hosts on a switch-port basis. This
mechanism could also filter VRRP messages from switch ports
associated with end-hosts and can be considered for deployments with
untrusted hosts.

It should be noted that these attacks are not worse and are a subset
of the attacks that any node attached to a LAN can do independently
of VRRP. The kind of attacks a malicious node on a LAN can do
include promiscuously receiving packets for any router's MAC address;
sending packets with the router's MAC address as the source MAC
address in the L2 header to tell the L2 switches to send packets
addressed to the router to the malicious node instead of the router;
send redirects to tell the hosts to send their traffic somewhere
else; send unsolicited ND replies; answer ND requests; etc. All of
this can be done independently of implementing VRRP. VRRP does not
add to these vulnerabilities.

Independent of any authentication type, VRRP includes a mechanism
(setting TTL = 255, checking on receipt) that protects against VRRP
packets being injected from another remote network. This limits most
vulnerabilities to local attacks.

VRRP does not provide any confidentiality. Confidentiality is not
necessary for the correct operation of VRRP, and there is no
information in the VRRP messages that must be kept secret from other
nodes on the LAN.

In the context of IPv6 operation, if SEcure Neighbor Discovery (SEND)
is deployed, VRRP is compatible with the "trust anchor" and "trust
anchor or cga" modes of SEND [RFC3971]. The SEND configuration needs
to give the Master and Backup routers the same prefix delegation in
the certificates so that Master and Backup routers advertise the same
set of subnet prefixes. However, the Master and Backup routers
should have their own key pairs to avoid private key sharing.
 
mhviper
newbie
Topic Author
Posts: 36
Joined: Wed Sep 25, 2013 4:59 am

Re: VRRP ipv6 vlan/crossover

Wed Apr 12, 2017 10:04 am

The idea with the bridge sounds weird, have you ever seen that live?

Ok but filtering ND and vrrp on the customer ports denies my customers the change to run vrrp on their own.
 
troffasky
Member
Member
Posts: 436
Joined: Wed Mar 26, 2014 4:37 pm

Re: VRRP ipv6 vlan/crossover

Wed Apr 12, 2017 10:47 am

The idea with the bridge sounds weird, have you ever seen that live?
No, hence describing it as a long shot.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: VRRP ipv6 vlan/crossover

Wed Apr 12, 2017 10:58 pm

Ok but filtering ND and vrrp on the customer ports denies my customers the change to run vrrp on their own.
Why would a customer be running VRRP on their WAN interface to you? A much more standard option for them would be to run a routing protocol like BGP or OSPF directly with you if you are giving them more than a single link.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: VRRP ipv6 vlan/crossover

Wed Apr 12, 2017 10:59 pm

Bit of a long shot....
Bridge your "crossover" link with your LAN uplink on each router. This is the long shot bit...can you apply a filter to just the LAN uplink that would block VRRP on that interface?
If you bridged your crossover link you create a single broadcast domain and the VRRP messages would still be flooded to the clients on his toCore links negating the separation.
 
troffasky
Member
Member
Posts: 436
Joined: Wed Mar 26, 2014 4:37 pm

Re: VRRP ipv6 vlan/crossover

Mon Apr 17, 2017 10:40 pm

Which is why I suggested trying to filter it.
 
mhviper
newbie
Topic Author
Posts: 36
Joined: Wed Sep 25, 2013 4:59 am

Re: VRRP ipv6 vlan/crossover

Mon Apr 17, 2017 11:11 pm

Our Customers run dedicated systems behind our mikrotiks therefore might need vrrp on their own.

We will test if we can simply add the gateway ips with scripts that gets triggert by vrrp as "on-master" and "on-backup" provides the necessary hooks.
 
idlemind
Forum Guru
Forum Guru
Posts: 1146
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: VRRP ipv6 vlan/crossover

Mon Apr 17, 2017 11:48 pm

Are you able to explain the use case a bit more? I'm struggling to see why both of you need VRRP. If the devices on both sides are capable of VRRP you are likely in a situation where a routing protocol can be run.
 
emikrotik
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Jun 19, 2015 9:30 am

Re: VRRP ipv6 vlan/crossover

Tue May 02, 2017 8:30 am

Hello,

I had the same issue, I found it to be ARP.

I copied the MAC address on the toCore interface so they were the same on both devices and disabled / enabled the port when VRRP changed from master to backup on the script tab.

/interface ethernet set sfp1 mac-address=xx:xx:xx:xx:xx:xx;

Who is online

Users browsing this forum: No registered users and 3 guests