1 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

VRRP Working Group

March 2003

San Francisco IETF

Mukesh Gupta / Nokia

Chair

2 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

AGENDA

• Introduction and Review Agenda

• Milestones/Plans

• Current Drafts

• Security Issues with VRRP

• VRRPv3

• VRRPv3 MIB

• IPR Issues

• Further Interests of the WG

3 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

WG MILESTONES/PLANS

• Mar 2003- Resolve open issues with authentication methods

• Mar 2003- Submit updated version of VRRP (IPv4) for Draft Standard

• May 2003- Submit VRRP for IPv6 (VRRPv3) for Proposed Standard

• Jul 2003- Submit MIB for VRRPv3 for Proposed Standard

• Dec 2003- Review the WG goals and future potential

4 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

CURRENT DRAFTS

• VRRPv2 (for IPv4)<draft-ietf-vrrp-spec-v2-06.txt>

• VRRPv3 (for IPv6)<draft-ietf-vrrp-ipv6-spec-03.txt>

Coming Soon:• VRRPv3 MIB

• VRRP IPSEC-AH Authentication Specification (???)

5 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

SECURITY ISSUES

Problem:• Clear text password does not provide much security.

• IPsec AH might provide little security but more details need to be specified.

• All the security mechanisms make the situation worse in case of mis-configuration. (2 Masters !!)

• Still vulnerable to all the LAN attacks

Proposed Solution:• Remove the security mechanisms from VRRP and write a good security

section

• Work on a separate draft for providing IPsec AH security for VRRP (if enough interest in WG ??)

6 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

SECURITY ISSUES QUESTIONS

More Questions: (How do we do it ?)

• Discourage or Remove fields from the header ?

• Backward compatibility issues when removing security ?

• Do we need to update the version number ?

• Do we need to recycle VRRPv2 through PS again ?

• Do we need to update VRRPv2 MIB (RFC 2787) ?

• Anything else ???

The Question:

• Anyone against removing security ? Say it Now !!

7 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

VRRPv3

• The current draft is draft-ietf-vrrp-ipv6-spec-03.txt

• Needs to be reviewed. Did anyone review it ?

• Are there any implementations ? Or Plans ?

• Can’t move forward without implementation experience !

8 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

VRRPv3 MIB

• Needed before VRRPv3 draft moves to PS

• Kalyan, Kripakaran and Brian have started working on it

• New draft instead of updating the existing one

• A draft will be submitted to the WG soon

• Please review it !!

9 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

IPR ISSUES (Cisco)

• We found the following statement from Robert Barr, Cisco at http://www.in-addr.de/pipermail/lvs-users/2001-November/004135.html

"Cisco will not assert any patent claims against anyone for an implementation of IETF standard for VRRP unless a patent claim is asserted against Cisco, in which event Cisco reserves the right to assert patent claims defensively. If a licensee would prefer a royalty-bearing license, we would make one available."

• Robert confirmed this statement in an email again on December 18, 2002

“That is our current position.”

10 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

IPR Issues (IBM)

• No answer has been received from IBM yet !!

11 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

ARE WE INTERESTED IN..

• “IPsec AH Security for VRRP” draft ?available at http://www.keepalived.org/draft-ietf-vrrp-ipsecah-spec-00.txt

• Removing Priority value 0 (hold the election now) option ?

• Issues and Arguments document ?

• Anything else ?

12 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF

Thank You