Re: CARP and VRRP compliance
Hello Theo, It's disheartening to see the disparity in treatment between entities like OpenBSD and larger corporations within these governance structures. However, your resolve in the face of such challenges is commendable. The creation of CARP, under the circumstances you described, not only serves as a practical solution but also as a principled stand against the monopolization of technology standards. This unwavering commitment is the reason OpenBSD is so deeply respected and cherished. Thank you for your perseverance and for setting an example of integrity in the technology community. This is why we love OpenBSD so much. Kind regards Sam On Wed, Feb 14, 2024 at 7:26 PM Theo de Raadt wrote: > Stuart Henderson wrote: > > > On 2024-02-13, Samuel Jayden wrote: > > > From the information provided in the link, it appears that CARP and > VRRP > > > protocols aren't inherently interoperable. > > > > They are different protocols - they *had* to be different because VRRP > > was subject to patents. And if carp was changed now, it wouldn't be > > interoperable with existing carp installations. > > > > > While Cisco may have attempted to address this by introducing a command > > > like "disable-loop-detection carp" in its Nexus 1000V virtual router > > > product, this solution unfortunately doesn't extend to standard router > > > hardware, rendering it ineffective in many scenarios. > > > > That's not about interop beteeen carp and vrrp speakers, it's about > > using carp (or vrrp or hsrp or similar) on a port attached to the > > 'virtual switch'. See 'Information About Redundant Routing Protocols' on > > > https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_5_1/layer_2_switching/configuration/guide/n1000v_l2/n1000v_l2_7redundantroutingprot.html > > > > > Is it feasible to achieve CARP and VRRP interoperability through a > > > user-space application? > > > > No. They are different protocols. For what you want to do, running VRRP > > on the OpenBSD box might make some sense though. There are various > > existing userland implementations of VRRP that might be able to run > > on OpenBSD, probably with some work to port them - e.g. freevrrpd, > > frr-vrrpd, vrrpd. Nothing already in the ports tree (if someone wanted > > to try I'd suggest starting by looking at freevrrpd). > > This was my experience: > > VRRP was the first patent-encumbered protocol squeezed through the IETF > process. > > The backers of that change in process were employees and laywers at a few > major companies, but also tightly integrated into the IETF approval > process. > > When we objected to the VRRP situation, they circled the wagons, not just > to defend the VRRP patent, but to protect a future of patent's being OK in > IETF processes. > > In response, OpenBSD carefully developed a similar mechanism called CARP, > and the acronymn actually expands to "Cisco Asshole Redundancy Protocol", > because the main traitors inside IETF were Cisco employees. > > Then we asked IETF for numbers to make this a unique protocol. Unlike > a recent threads where Tatu asked IETF for port 22 and they just gave it > to him, the various number authorities inside IETF demanded that we follow > the most stringent procedures for CARP. Even to this day, IETF provides > the various prototol numbers to some large corporate industry members > without > forcing them down those stringent procedures. > > As a result, we simply squatted on the VRRP numbers. We gave them plenty > of warning we would be doing this. Over the following years, we heard some > real anger IETF decision makers internally, but none of them re-visited our > request for seperate numbers. We never got numbers. So CARP will stay > where it is. > > One major bug was in VRRP on some HP product was found in the first year. > CARP packets were incorrectly parsed as VRRP packets. I don't remember > the details, but I think it rebooted that HP device, probably a switch. > > Oh well. > >
Re: CARP and VRRP compliance
Greetings, I have now attained a deeper understanding of the topic at hand; thank you for your insights. It appears that my requirements necessitate communication between a Cisco router and VRRP, rather than CARP. Upon reviewing the open-source projects you've recommended, here are my findings: The vrrpd project seems quite distant from being readily compilable. It exhibits a classic Linux developer's perspective, showing no inclination towards ensuring compatibility with operating systems outside the Linux realm. I am still engaged with frr-vrrpd, yet, to my dismay, I haven't managed to compile it thus far. With freevrrpd, I am tantalizingly closer to a resolution. By crafting minor patches, I've successfully compiled it, albeit necessitating the deactivation of netgraph code. Upon conducting a VRRP test between OpenBSD + freevrrpd and a Cisco Router, I observed that both devices persisted in identifying themselves as the master. Monitoring the relevant interface with tcpdump allowed me to perceive packets emanating from the Cisco Router; however, there was a conspicuous absence of VRRP packets from the OpenBSD system. It seems plausible that disabling the netgraph code contributed to this predicament. Should there exist an equivalent to netgraph within OpenBSD, I am eager to explore that avenue. Thanks. Sam On Wed, Feb 14, 2024 at 2:06 PM Stuart Henderson wrote: > On 2024-02-13, Samuel Jayden wrote: > > From the information provided in the link, it appears that CARP and VRRP > > protocols aren't inherently interoperable. > > They are different protocols - they *had* to be different because VRRP > was subject to patents. And if carp was changed now, it wouldn't be > interoperable with existing carp installations. > > > While Cisco may have attempted to address this by introducing a command > > like "disable-loop-detection carp" in its Nexus 1000V virtual router > > product, this solution unfortunately doesn't extend to standard router > > hardware, rendering it ineffective in many scenarios. > > That's not about interop beteeen carp and vrrp speakers, it's about > using carp (or vrrp or hsrp or similar) on a port attached to the > 'virtual switch'. See 'Information About Redundant Routing Protocols' on > > https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_5_1/layer_2_switching/configuration/guide/n1000v_l2/n1000v_l2_7redundantroutingprot.html > > > Is it feasible to achieve CARP and VRRP interoperability through a > > user-space application? > > No. They are different protocols. For what you want to do, running VRRP > on the OpenBSD box might make some sense though. There are various > existing userland implementations of VRRP that might be able to run > on OpenBSD, probably with some work to port them - e.g. freevrrpd, > frr-vrrpd, vrrpd. Nothing already in the ports tree (if someone wanted > to try I'd suggest starting by looking at freevrrpd). > > -- > Please keep replies on the mailing list. > >
Re: CARP and VRRP compliance
Stuart Henderson wrote: > On 2024-02-13, Samuel Jayden wrote: > > From the information provided in the link, it appears that CARP and VRRP > > protocols aren't inherently interoperable. > > They are different protocols - they *had* to be different because VRRP > was subject to patents. And if carp was changed now, it wouldn't be > interoperable with existing carp installations. > > > While Cisco may have attempted to address this by introducing a command > > like "disable-loop-detection carp" in its Nexus 1000V virtual router > > product, this solution unfortunately doesn't extend to standard router > > hardware, rendering it ineffective in many scenarios. > > That's not about interop beteeen carp and vrrp speakers, it's about > using carp (or vrrp or hsrp or similar) on a port attached to the > 'virtual switch'. See 'Information About Redundant Routing Protocols' on > https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_5_1/layer_2_switching/configuration/guide/n1000v_l2/n1000v_l2_7redundantroutingprot.html > > > Is it feasible to achieve CARP and VRRP interoperability through a > > user-space application? > > No. They are different protocols. For what you want to do, running VRRP > on the OpenBSD box might make some sense though. There are various > existing userland implementations of VRRP that might be able to run > on OpenBSD, probably with some work to port them - e.g. freevrrpd, > frr-vrrpd, vrrpd. Nothing already in the ports tree (if someone wanted > to try I'd suggest starting by looking at freevrrpd). This was my experience: VRRP was the first patent-encumbered protocol squeezed through the IETF process. The backers of that change in process were employees and laywers at a few major companies, but also tightly integrated into the IETF approval process. When we objected to the VRRP situation, they circled the wagons, not just to defend the VRRP patent, but to protect a future of patent's being OK in IETF processes. In response, OpenBSD carefully developed a similar mechanism called CARP, and the acronymn actually expands to "Cisco Asshole Redundancy Protocol", because the main traitors inside IETF were Cisco employees. Then we asked IETF for numbers to make this a unique protocol. Unlike a recent threads where Tatu asked IETF for port 22 and they just gave it to him, the various number authorities inside IETF demanded that we follow the most stringent procedures for CARP. Even to this day, IETF provides the various prototol numbers to some large corporate industry members without forcing them down those stringent procedures. As a result, we simply squatted on the VRRP numbers. We gave them plenty of warning we would be doing this. Over the following years, we heard some real anger IETF decision makers internally, but none of them re-visited our request for seperate numbers. We never got numbers. So CARP will stay where it is. One major bug was in VRRP on some HP product was found in the first year. CARP packets were incorrectly parsed as VRRP packets. I don't remember the details, but I think it rebooted that HP device, probably a switch. Oh well.
Re: CARP and VRRP compliance
On 2024-02-13, Samuel Jayden wrote: > From the information provided in the link, it appears that CARP and VRRP > protocols aren't inherently interoperable. They are different protocols - they *had* to be different because VRRP was subject to patents. And if carp was changed now, it wouldn't be interoperable with existing carp installations. > While Cisco may have attempted to address this by introducing a command > like "disable-loop-detection carp" in its Nexus 1000V virtual router > product, this solution unfortunately doesn't extend to standard router > hardware, rendering it ineffective in many scenarios. That's not about interop beteeen carp and vrrp speakers, it's about using carp (or vrrp or hsrp or similar) on a port attached to the 'virtual switch'. See 'Information About Redundant Routing Protocols' on https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_5_1/layer_2_switching/configuration/guide/n1000v_l2/n1000v_l2_7redundantroutingprot.html > Is it feasible to achieve CARP and VRRP interoperability through a > user-space application? No. They are different protocols. For what you want to do, running VRRP on the OpenBSD box might make some sense though. There are various existing userland implementations of VRRP that might be able to run on OpenBSD, probably with some work to port them - e.g. freevrrpd, frr-vrrpd, vrrpd. Nothing already in the ports tree (if someone wanted to try I'd suggest starting by looking at freevrrpd). -- Please keep replies on the mailing list.
Re: CARP and VRRP compliance
Am 13.02.2024 19:07 schrieb Samuel Jayden: Also I've another question: Is it feasible to achieve CARP and VRRP interoperability through a user-space application? One step back.. you're looking for using one cisco router and one OpenBSD box as a redundant pair? I've no idea and in over 20y I did not consider doing this. If you think about how an OpenBSD pair (failover/load between themselves) and "on the other side" a Cisco pair using VRRP (acting betweeen themselves), I can tell that this works w/o having a stamped letter with some crayon on it. -- pb
Re: CARP and VRRP compliance
Hello Marcus, Thank you for your response. >From the information provided in the link, it appears that CARP and VRRP protocols aren't inherently interoperable. While Cisco may have attempted to address this by introducing a command like "disable-loop-detection carp" in its Nexus 1000V virtual router product, this solution unfortunately doesn't extend to standard router hardware, rendering it ineffective in many scenarios. Also I've another question: Is it feasible to achieve CARP and VRRP interoperability through a user-space application? I am curious if there are any existing solutions or approaches that leverage user-space applications to bridge the interoperability gap between CARP and VRRP. If anyone has insights or experiences in this area, I would greatly appreciate hearing about them. Thank you for considering my inquiries. Best regards Sam On Tue, Feb 13, 2024 at 8:26 PM Marcus MERIGHI wrote: > Hello Samuel, > > samueljaydan1...@gmail.com (Samuel Jayden), 2024.02.13 (Tue) 17:35 (CET): > > I am reaching out to seek guidance on creating redundancy between a Cisco > > Router and OpenBSD. After conducting extensive research on the subject, I > > find myself in need of clarification on a specific point. > > This has some background info for you: > > https://mwl.io/archives/1866 > > Marcus >
Re: CARP and VRRP compliance
Hello Samuel, samueljaydan1...@gmail.com (Samuel Jayden), 2024.02.13 (Tue) 17:35 (CET): > I am reaching out to seek guidance on creating redundancy between a Cisco > Router and OpenBSD. After conducting extensive research on the subject, I > find myself in need of clarification on a specific point. This has some background info for you: https://mwl.io/archives/1866 Marcus
CARP and VRRP compliance
Hello OpenBSD, I am reaching out to seek guidance on creating redundancy between a Cisco Router and OpenBSD. After conducting extensive research on the subject, I find myself in need of clarification on a specific point. My intention is to employ the use of the CARP protocol in OpenBSD and VRRP on the Cisco Router. However, I am uncertain about the compatibility between OpenBSD's CARP and Cisco's VRRP protocols. If any of you have practical experience or insights into using these two protocols simultaneously within the same broadcast domain, I would greatly appreciate hearing about your experiences. Thank you in advance for your time and assistance. Best regards Sam