CARP
Ryan McBride
support for CARP, OpenBSD's Common Address Redundancy Protocol.
This protocol allows multiple hosts on the same local network to share a
set of IP addresses among them. Some of the functionality it provides is
similar to VRRP, although CARP differs in some significant aspects: CARP
has been designed to provide greater security and be protocol
independent (so we can support both IPv4 and IPv6). Finally, CARP allows
for some level of load balancing in addition to it's high-availability
functionality.
The basic configuration is as simple as running a command like the
following on all hosts which you want to have providing fail-over for
192.168.1.10:
# ifconfig carp0 vhid 1 192.168.1.10
One of the hosts will become "Master" of this IP address, while the
other hosts will go into "Backup" mode. If the master fails to advertise
after a certain period (3 times the advertisement interval of the Backup
host), the Backup will assume it is down and take over as Master,
responding to ARP requests for this IP address and accepting traffic
sent to it.
CARP specifies that the system which can advertise the most frequently
is most fit to be Master, one can encourage one system to be more likely
to become master by making it advertises more frequently relative to the
others. For example, the following command slows down the advertisement
frequency on this host;
# ifconfig carp0 advskew 100
Other hosts will advertise more frequently, and will be more likely to
become master.
See the man pages for more details: carp(4), ifconfig(8), sysctl(3).
A number of further developments are planned, including replay
detection, IPv6 support, and other fine-tuning.
-Ryan
P.S. If anyone has concerns about the Cisco's patent #5,473,599 and how
their claim that it applies to VRRP has forced us to design our own
incompatible protocol, don't talk to us. Instead, call Cisco's lawyer at
408-525-9706, or email him: rb...@cisco.com.
STeve Andre'
> As those of you who follow source-changes know, I have just imported
> support for CARP, OpenBSD's Common Address Redundancy Protocol.
This looks really promising, and a wonderful open implementation of
something thats been needed for a while. Bravo to those who have
worked on this. Finally, an alternative to VRRP...
I do not understand much of the IETF workings, but I wonder if it
makes sense to enter this into the standards track? Or is it worth
it?
Regardless, this is wonderful.
--STeve Andre'
Diana Eichert
So CARP is going to be implemented at L3 instead of L2?
Theo de Raadt
> makes sense to enter this into the standards track? Or is it worth
> it?
Why bother. This issue came up because IETF didn't stand up to Cisco
years ago.
The entire issue of RAND "patents allowed in standards" balony came up
first over VRRP, now other groups have allowed it to happen too, or like
W3C finally cleaned up their act...
IETF is the problem.
Tom Cosgrove
>
> Hi, I maybe too quick, didn't find a man page for "carp" yet.
You're being too quick. See below.
| Added files:
| share/man/man4 : carp.4
>>> Ryan Thomas McBride 17-Oct-03 22:04 >>>
>
> CVSROOT: /cvs
> Module name: src
> Changes by: mcb...@cvs.openbsd.org 2003/10/17 15:04:59
>
> Modified files:
> etc : protocols
> lib/libc/gen : sysctl.3
> sbin/ifconfig : ifconfig.8 ifconfig.c
> sbin/sysctl : sysctl.8 sysctl.c
> share/man/man4 : Makefile
> sys/conf : GENERIC files
> sys/net : if.c if.h if_ethersubr.c if_fddisubr.c
> sys/netinet : if_ether.c in.h in_proto.c
> sys/sys : mbuf.h
> usr.bin/netstat: inet.c main.c netstat.h
> Added files:
> share/man/man4 : carp.4
> sys/netinet : ip_carp.c ip_carp.h
>
> Log message:
> Common Address Redundancy Protocol
>
> Allows multiple hosts to share an IP address, providing high availability
> and load balancing.
>
> Based on code by mickey@, with additional help from markus@
> and Marco_Pfa...@genua.de
>
> ok deraadt@
Diana Eichert
> >>> Diana Eichert 17-Oct-03 23:19 >>>
> >
> > Hi, I maybe too quick, didn't find a man page for "carp" yet.
>
> You're being too quick. See below.
>
> | Added files:
> | share/man/man4 : carp.4
OK, how often are the online man pages sync'd to CVS then?
and yes, I did read the man page via CVS.
I'm usually not this fast to read up on a new feature, but I find CARP
interesting.
Nick Holland
> OK, how often are the online man pages sync'd to CVS then?
> and yes, I did read the man page via CVS.
Lacking a more authoritative answer, I do believe once a day.
HOWEVER... Also as I recall, they aren't checked out of the tree, but
rather, extracted from the most recent i386 snapshot (which is usually
once a day, but not necessarily, and not synced with the man page
extraction in any way). So, could easily be two days. COULD be more.
> I'm usually not this fast to read up on a new feature, but I find CARP
> interesting.
ya. You aren't alone. 8)
do a 'cvs up' on your -current machine.
(waiting for a cvs up to finish, myself)
Ryan McBride
> OK, how often are the online man pages sync'd to CVS then?
> and yes, I did read the man page via CVS.
When new snapshots are put up.
Diana Eichert
> When new snapshots are put up.
it just goes to show you can learn something new everyday.
I never knew snapshot builds were the trigger for updating the online man
pages.
thanks
Peter Galbavy
> This protocol allows multiple hosts on the same local network to
> share a set of IP addresses among them. Some of the functionality it
> provides is similar to VRRP, although CARP differs in some
> significant aspects: CARP has been designed to provide greater
> security and be protocol independent (so we can support both IPv4 and
> IPv6). Finally, CARP allows for some level of load balancing in
> addition to it's high-availability functionality.
Well f***ing done. Thanks to all involved.
Side thought - will this imply other parts of the project working towards
doing things that add similar multihoming but at the protocol level; I am
thinking pfsync + support for faked (master) endpoints, isakmpd with
multiple phase-1 support for meshing etc.
At this stage I am just spitting into the wind, but I would love to look at
ome of this stuff myself, especially now I am leaving the day job for
something that may let me play more on the development side.
Peter