Diving Deep into VRRP

This section provides more detailed information on VRRP, as described in RFC 23381 and RFC 37682. VRRP runs on top of IP using Protocol 112. Packets are sent to multicast address with TTL 255. Routers use their actual IP address as the source address for protocol packets, not the virtual IP address.

NOTE A lot of information about VRRP exists on the web and in books, as described in RFC 2338 and RFC 3768.

Only the master router sends periodic VRRP messages by using the virtual MAC address as the source to keep the switch's CAM table up to date with the binding of the virtual MAC address to a specific port. The switch then uses this binding to forward frames addressed to the virtual MAC address to the master router.

The backup routers passively listen for those periodic VRRP packets to check whether the master router is alive. If no master exists, the backup routers go through a quick election process to determine which router becomes the master router.

The newly elected router immediately transmits a frame with the virtual MAC address as the source address. The switch's CAM table is updated with the new binding to the port of the new master, and it immediately starts forwarding all frames addressed to the virtual MAC address to the port of the newly elected master router.

Figure 10-2 shows the VRRP packet format.

Figure 10-2 VRRP Packet Format



Virtual Router ID


Count IP Addresses

Authentication Type

Advertisement Interval


IP Address (1)

IP Address (n)

Authentication Data (1)

Authentication Data (2)

The Authentication Type and Authentication Data fields are used for authentication. In RFC 2338, the authentication type could be none, text based (such as in HSRP), or IP Authentication Header (AH) from the IPsec protocol. When text-based authentication is used, the shared secret is put in the clear in the Authentication Data field. In RFC 3768, which obsoletes RFC 2338, only the "none" authentication type is defined.

NOTE RFC 3768 explains the reason why the clear-text and AH-based authentication types have been removed. Because even with strong authentication, such as AH (with antireplay), nothing prevents other attacks (such as Address Resolution Protocol [ARP] spoofing or MAC spoofing), so there is no need to provide a feeling of false security by adding authentication to VRRP.

Everyone does not share this point of view: As shown in Chapters 2, "Defeating a Learning Bridge's Forwarding Process," and 6, "Exploiting IPv4 ARP," MAC and ARP spoofing can be mitigated effectively; therefore, strong authentication still has value when coupled to a secure infrastructure applying the mitigation techniques against MAC and ARP spoofing.

The Priority field elects the master. When comparing the priorities of two different routers, the router with the numerically higher priority wins the election process and becomes the master router.

In the case of routers with equal priority, the router with the higher IP address wins the election. As previously explained, in VRRP, the virtual IP address can actually be the IP address of one router within the redundancy group (when the router is the master); in this case, the master router priority must be set to 255 to always win in case of a tie.

Mitigating VRRP Attacks 161

Was this article helpful?

+1 0

Post a comment