Hellow fellow geeks,
Today I ran across this small article titled Using VRRP on Linux improves network availability. It got me curious! The last time I remember hearing about it was around 2002 when I was looking for a way to keep my firewall/router failure-proof.
Briefly VRRP [Virtual Router Redundacy Protocol], HSRP [Hot Standby Router Protocol] and CARP [Common Address Redundancy Protocol] are meant, individually to enable a failover redundancy for firewalls and routers by mainly sharing some kind of virtual MAC address and an IP address between then. This way when your primary firewall/router fails, some other firewall/router (slave) pre-configured will take its place almost transparently.
Not wanting to get into more details on the protocols themselves, I would like to point some stuff to all you sysadmins out there.
VRRPd is compatible, as any standard implementation should be, with other VRRP implementations (i.e. Cisco, Juniper) but as you can see, it has been some time now (4 1/2 years) since the last commit. Is it good? Guess not..
CARP on the other hand is not a standard but an impressive implementation to have in mind. Citing Wikipedia/OpenBSD.org:
As a final note of course, when we petitioned IANA, the IETF body regulating “official” internet protocol numbers, to give us numbers for CARP and pfsync our request was denied. Apparently we had failed to go through an official standards organization. Consequently we were forced to choose a protocol number which would not conflict with anything else of value, and decided to place CARP at IP protocol 112. We also placed pfsync at an open and unused number. We informed IANA of these decisions, but they declined to reply.
The reason for this is that no specification for CARP has ever been written. The closest thing to specifications is the implementation in OpenBSD.
Note that VRRP also uses IP protocol 112, having been assigned it by IANA.
1) HSRP is a proprietary protocol patented by Cisco;
2) VRRP is the result of an IETF effort that solved some HSRP issues. Still Cisco claims it as its own;
3) CARP is the result of OpenBSD developers effort to implement a protocol like described above, while avoiding problems with Cisco patents. IMHO they are doing a great job!
What matters to me the most is that OpenBSD offers something more than CARP which happens to be packet filtering rules and connection state sharing between CARP’ed machines. More on that on the next post😉