Re: Cisco HSRP Denial of Service Vulnerability [7:3534]

[Priscilla Oppenheimer]

The HSRP "exploits" aren't anything new. If you have physical access to the 
target LAN, the ability to sniff packets, and the ability to send packets, 
of course you can wreak havoc. Not only could you send bad HSRP packets but 
you could respond to ARPs, send bad routing protocol packets, etc. etc. 
etc. The only real solutions are physical security and hiring people you 
trust!?

Also, instead of using HSRP you could use the Virtual Router Redundancy 
Protocol (VRRP) defined in RFC 2338. VRRP is the standards-track 
replacement for HSRP.
The Security Considerations section explains authentication options, 
including using IPSec.

Priscilla

At 11:20 PM 5/7/01, Andy Low wrote:
>Hi TAC,
>
>Anyone know of any solutions to the HSRP exploits?
>
>http://www.securityfocus.com/bid/2684
>
>-andy-
>FAQ, list archives, and subscription info: 
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


________________________

Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3643&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]