exactly, our Upstream Providers have talked about 10Ge "coming" but are
still pitching plain old GigE......... imagine that - plain old GigE.
With are using a lot of Ethernet technologies in the traditional "WAN" roles
but we like HSRP.
Unfortunately, HSRP tests the interface and not the path. I would like an
additional keyword like:
Standby DestinationIP w.x.y.z
If the destination is reachable - cool, if it isn't...... failover.
This I think would give us the same capability that HSRP has with serial
interfaces.
Kevin Wigle
----- Original Message -----
From: Chuck Larrieu
To:
Sent: Wednesday, May 09, 2001 11:36 PM
Subject: RE: Cisco HSRP Denial of Service Vulnerability [7:3534]
> Check out this link. Is this kinda what you folks are talking about here?
>
> http://www.computerworld.com/cwi/story/0,1199,NAV47_STO54671,00.html
>
> Chuck
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Priscilla Oppenheimer
> Sent: Tuesday, May 08, 2001 11:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
>
> What is Ethernet emulation? It's definitely true that Ethernet is being
> used across long distances, if that's what you mean. With single mode
> fiber-optic cabling, Ethernet can span miles. Physical access is a
> different story in this case, of course. The cables may actually be in
> public places. They would be overhead on poles or underground, I guess,
> though, wouldn't they?
>
> I think it would still be very difficult to wreak havoc. Physical access
> would be difficult, and even if you had it, network-layer hacking would be
> hard to achieve. Wishful thinking? :-]
>
> Thanks
>
> Priscilla
>
> At 02:27 PM 5/9/01, Kevin Wigle wrote:
> >However, Ethernet emulation is becoming quite popular and very price
> >competitive.
> >
> >I have clients who have HSRP running on what would normally be called
"WAN"
> >ports but they are ethernet. The HSRP virtual address is visible to the
> >world and therefore it is vunerable.
> >
> >I agree that traditionally HSRP has been used on the inside interfaces so
> >therefore your vunerability is from the inside where you should have
> >personnel/physical security in place.
> >
> >IPSec is cool but involves more cost to deploy an IPSec capable
IOS/router
> >if you're not already using IPSec. Perhaps this is just another reason
to
> >do so.
> >
> >Someone also commented on the overhead of IPSec encrypting/decrypting
HSRP
> >hellos every 3 seconds. Perhaps adjusting the HSRP timers would
alleviate
> >this.
> >
> >But times they are a changing. The lines between LAN and WAN are
blurring.
> >It seems Brian's solution for an access-list will be a stop gap measure
for
> >now.
> >
> >Kevin Wigle
> >
> >----- Original Message -----
> >From: Priscilla Oppenheimer
> >To:
> >Sent: Tuesday, May 08, 2001 1:38 PM
> >Subject: Re: Cisco HSRP Denial of Service Vulnerability [7:3534]
> >
> >
> > > The HSRP "exploits" aren't anything new. If you have physical access
to
> >the
> > > target LAN, the ability to sniff packets, and the ability to send
> packets,
> > > of course you can wreak havoc. Not only could you send bad HSRP
packets
> >but
> > > you could respond to ARPs, send bad routing protocol packets, etc.
etc.
> > > etc. The only real solutions are physical security and hiring people
you
> > > trust!?
> > >
> > > Also, instead of using HSRP you could use the Virtual Router
Redundancy
> > > Protocol (VRRP) defined in RFC 2338. VRRP is the standards-track
> > > replacement for HSRP.
> > > The Security Considerations section explains authentication options,
> > > including using IPSec.
> > >
> > > Priscilla
> > >
> > > At 11:20 PM 5/7/01, Andy Low wrote:
> > > >Hi TAC,
> > > >
> > > >Anyone know of any solutions to the HSRP exploits?
> > > >
> > > >http://www.securityfocus.com/bid/2684
> > > >
> > > >-andy-
> > > >FAQ, list archives, and subscription info:
> > > >http://www.groupstudy.com/list/cisco.html
> > > >Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > >
> > >
> > > ________________________
> > >
> > > Priscilla Oppenheimer
> > > http://www.priscilla.com
> > > FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
> ________________________
>
> Priscilla Oppenheimer
> http://www.priscilla.com
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=4009&t=3534
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
