Before the introduction of HSRP MD5 authentication, HSRP authenticated protocol packets with a simple plain text string.
HSRP MD5 authentication is an enhancement to generate an MD5 digest for the HSRP portion of the multicast HSRP protocol packet.
This functionality provides added security and protects against the threat from HSRP-spoofing software.
MD5 authentication provides greater security than the alternative plain text authentication scheme. MD5 authentication allows
each HSRP group member to use a secret key to generate a keyed MD5 hash that is part of the outgoing packet. A keyed hash
of an incoming packet is generated and if the hash within the incoming packet does not match the generated hash, the packet
is ignored.
The key for the MD5 hash can be either given directly in the configuration using a key string or supplied indirectly through
a key chain.
HSRP has two authentication schemes:
HSRP authentication protects against false HSRP hello packets causing a denial-of-service attack. For example, Device A has
a priority of 120 and is the active device. If a host sends spoof HSRP hello packets with a priority of 130, then Device A
stops being the active device. If Device A has authentication configured such that the spoof HSRP hello packets are ignored,
Device A will remain the active device.
HSRP packets will be rejected in any of the following cases:
-
The authentication schemes differ on the device and in the incoming packets.
-
MD5 digests differ on the device and in the incoming packet.
-
Text authentication strings differ on the device and in the incoming packet.