Package: vrrpd Version: 1.0-1 Severity: important
This is to some extent network adapter dependant. Lower end cards with more primitivea mac filtering like Via Rhine are less prone to this problem. It is 100% reproducible on higher end cards like Intel e1000. How to reproduce: 1. Configure 2 Vlan interfaces on host A and host B (with a suitable switch in between). 2. Run VRRP between host A and host B on both VLANs using 2 different vrrpd processes (let's say 5 and 6). 3. Configure process 5 auth to plain and 6 to pw. Both processes will start seeing each other's packets and complain in syslog. 4. Configure process 5 ah and 6 to ah. This one is worse - all hosts on all interfaces will try to grab the vrrp address generating duplicate ips on the network. So on. I have not looked at the code in detail, but it seems that it heavily relies on the IP stack to filter out the right multicast frames. The stack in turn relies on the card driver and the card driver on MCAST filters which on 802.1q interfaces quite often leak. Other similar apps (quagga) perform extra checks on what they receive via MCAST to compensate for such stack problems (they are well known). The overall effect is that all auth schemes except "none" are rendered unuseable when running vrrpd on 802.1q interfaces. It is also not possible to mix authentication schemes. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.14-1-k7-desktop Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Versions of packages vrrpd depends on: ii libc6 2.3.2.ds1-22sarge4 GNU C Library: Shared libraries an -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]