1 virtual router redundancy protocol (vrrp) san francisco ietf vrrp working group march 2003 san...
TRANSCRIPT
1 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
VRRP Working Group
March 2003
San Francisco IETF
Mukesh Gupta / Nokia
Chair
2 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
AGENDA
• Introduction and Review Agenda
• Milestones/Plans
• Current Drafts
• Security Issues with VRRP
• VRRPv3
• VRRPv3 MIB
• IPR Issues
• Further Interests of the WG
3 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
WG MILESTONES/PLANS
• Mar 2003- Resolve open issues with authentication methods
• Mar 2003- Submit updated version of VRRP (IPv4) for Draft Standard
• May 2003- Submit VRRP for IPv6 (VRRPv3) for Proposed Standard
• Jul 2003- Submit MIB for VRRPv3 for Proposed Standard
• Dec 2003- Review the WG goals and future potential
4 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
CURRENT DRAFTS
• VRRPv2 (for IPv4)<draft-ietf-vrrp-spec-v2-06.txt>
• VRRPv3 (for IPv6)<draft-ietf-vrrp-ipv6-spec-03.txt>
Coming Soon:• VRRPv3 MIB
• VRRP IPSEC-AH Authentication Specification (???)
5 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
SECURITY ISSUES
Problem:• Clear text password does not provide much security.
• IPsec AH might provide little security but more details need to be specified.
• All the security mechanisms make the situation worse in case of mis-configuration. (2 Masters !!)
• Still vulnerable to all the LAN attacks
Proposed Solution:• Remove the security mechanisms from VRRP and write a good security
section
• Work on a separate draft for providing IPsec AH security for VRRP (if enough interest in WG ??)
6 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
SECURITY ISSUES QUESTIONS
More Questions: (How do we do it ?)
• Discourage or Remove fields from the header ?
• Backward compatibility issues when removing security ?
• Do we need to update the version number ?
• Do we need to recycle VRRPv2 through PS again ?
• Do we need to update VRRPv2 MIB (RFC 2787) ?
• Anything else ???
The Question:
• Anyone against removing security ? Say it Now !!
7 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
VRRPv3
• The current draft is draft-ietf-vrrp-ipv6-spec-03.txt
• Needs to be reviewed. Did anyone review it ?
• Are there any implementations ? Or Plans ?
• Can’t move forward without implementation experience !
8 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
VRRPv3 MIB
• Needed before VRRPv3 draft moves to PS
• Kalyan, Kripakaran and Brian have started working on it
• New draft instead of updating the existing one
• A draft will be submitted to the WG soon
• Please review it !!
9 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
IPR ISSUES (Cisco)
• We found the following statement from Robert Barr, Cisco at http://www.in-addr.de/pipermail/lvs-users/2001-November/004135.html
"Cisco will not assert any patent claims against anyone for an implementation of IETF standard for VRRP unless a patent claim is asserted against Cisco, in which event Cisco reserves the right to assert patent claims defensively. If a licensee would prefer a royalty-bearing license, we would make one available."
• Robert confirmed this statement in an email again on December 18, 2002
“That is our current position.”
10 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
IPR Issues (IBM)
• No answer has been received from IBM yet !!
11 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
ARE WE INTERESTED IN..
• “IPsec AH Security for VRRP” draft ?available at http://www.keepalived.org/draft-ietf-vrrp-ipsecah-spec-00.txt
• Removing Priority value 0 (hold the election now) option ?
• Issues and Arguments document ?
• Anything else ?
12 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF
Thank You