VRRP Authentication
Currently, only VRRPv2 supports authentication. Different authentication modes and authentication keys can be set in VRRP packet headers based on network security.
VRRP provides simple authentication and Message-Digest Algorithm 5 (MD5) authentication for networks that are vulnerable to attacks.
- Non-authentication: The local device does not authenticate VRRP Advertisement packets before sending them. The remote device does not authenticate the received VRRP Advertisement packets and considers all the received packets valid.
- Simple authentication: The local device encapsulates the authentication mode and authentication key into an outgoing VRRP Advertisement packet. When the remote device receives the VRRP Advertisement packet, it checks whether the authentication mode and authentication key in the packet are the same as those configured locally. If so, the device considers the received VRRP Advertisement packet valid. If not, the device considers the received VRRP Advertisement packet invalid and discards it.
- MD5 authentication: The local device uses the MD5 algorithm to encrypt the authentication key and encapsulates the key in the Authentication Data field of an outgoing VRRP Advertisement packet. Upon receipt of the VRRP Advertisement packet, the remote device decrypts the authentication key and checks whether the authentication mode and authentication key are the same as those configured locally. If they are the same, the remote device accepts the packet; otherwise, it discards the packet.
Devices in a VRRP group must be configured with the same authentication mode and authentication key; otherwise, the VRRP group cannot negotiate the Master and Backup states.
For security purposes, you are advised to use MD5 as the authentication algorithm of VRRP.
In a secure network, the default setting can be used. The device does not authenticate the sent or received VRRP packets. All received VRRP packets are considered valid. In this case, no authentication key needs to be set.