CARP protocol details

CARP protocol details-Linux Enterprise Application-Linux server application information. The following is a detailed description. Today, I sorted out the information about the CARP of OpenBSD. google found the following information:

The Common Address Redundancy Protocol manages failover at the intersection of Layers 2 and 3 in the OSI Model (link layer and IP layer ). each CARP group has a virtual MAC (link layer) address, and one or more virtual host IP addresses (the common address ). CARP hosts respond to ARP requests for the common address with the virtual MAC address, and the CARP advertisements themselves are sent out with this as the source address, which helps switches quickly determine which port the virtual MAC address is currently "".

The master of the address sends out CARP advertisement messages via multicast using the CARP protocol (IP Protocol 112) on a regular basis, and the backup hosts listen for this advertisement. if the advertisements stop, the backup hosts will begin in advertising. the advertisement frequency is retriable, and the host which advertises most frequently is the one most likely to become master in the event of a failure.

A reader who is familiar with VRRP will find this is somewhat familiar, however there are some significant differences:

· The CARP protocol is address family independent. The OpenBSD implementation supports both IPv4 and IPv6, as a transport for the CARP packets as well as common addresses to be shared.

· CARP has an "arpbalance" feature that allows multiple hosts to share a single IP address simultaneously; in this configuration, there is a virtual MAC address for each host, but only one IP address.

· CARP uses a cryptographically strong SHA-1 HMAC to protect each advertisement.

Besides these technical differences, there is another significant difference (perhaps the most important one, in fact): CARP is not patent encumbered. see this page for details on the history of CARP and our reasons for avoiding a VRRP implementation.


CARP protocol details
-- Principle and structure of the CARP Protocol

/* Author: xie_minix */
　
CARP --- general address redundancy protocol

Source code: (OpenBSD System) src/sys/netinet/ip_carp.h, Revision 1.8

In the core configuration file/sys/arch/i386/conf/GENERIC, it is defined:

Pseudo-device carp [count]

Here, count is the number of virtual devices that support carp.

Description:

The carp interface is a virtual device (Note: Virtual devices do not actually exist in the machine ).

The Clone Technology of the interface is used to generate. For example, the function of mounting a device in the carp Program (generally, the device is mounted with the "device name"

+ Attach ") carpattch is just a simple function to call the clone and mount function of a common device in the common interface file (if. c ).

If_clone_attach (source code: 753 rows). In fact, this carp is inserted in the list of all devices generated by cloning.

Device to the header (the global variable if_cloners is the head of the linked list of all clone devices. Source Code: if. c 135th ).

The CARP protocol is a protocol based on the IP address. Note the differences between carp and CARP. That is, carp represents a virtual device.

This device provides support for the CARP protocol. The CARP protocol will be described below. Let's take a look at the role of carp. The carp interface allows

Xu Local Network (note that it is the same network segment and cannot span the vro) multiple machines share one (Group) IP address. The actual

The result is that when a host with this IP address fails to work in case of an accident, other machines can automatically

It is very good for the firewall system to provide the redundancy function. Currently, it has the redundancy function.

The firewall system only has the OpenBSD system. Of course, I raised a similar question when I was engaged in ARP research, that is, what is the core?

The implementation of IP spoofing technology can only be one-way Implementation of spoofing. After some settings of carp, it can also provide the load balancing function.

For more information about these articles, see Ryan McBride.

　

Usage:

To use the carp device, you must first add support for carp when compiling the kernel.

Add the following to/sys/arch/i386/conf/GENERIC (or your own core configuration file:

Pseudo-device carp 16 (Note: there are parameters in the Man manual, that is, the parameters can be connected after the carp, but the parameters are not described in the latest GENERIC)

After compiling the core, use ifconfig carp0 create to create the carp 0th device.

Use: ifconfig carp0 vhid 1 pass mekmitasdigoat 192.168.1.10 255.255.255.0 to set the first carp device on the local machine.

It means that the host number of the carp 0th device (that is, the first one) is 1, and the pass is followed by the communication characters encrypted with SHA1 (of course, you can take it as needed, but only

The IP address is the IP address of the carp device.

Note:

In fact, any ifconfig will call the ioctl function (that is, the device name + "_ ioctl", in this example, carp_ioctl) in the source code of the device to be set ).

Our parameter 1, mekmitasdigoat and so on will all be put in a carpreq structure. In line 1594 of the source code, there will be a declaration: struct carpreq carpr;

Copy the parameter from the user area to the carpreq structure instance in the core area through copyin (ifr-> ifr_data, & carpr, sizeof carpr) (source code 1687 line)

In carpr. Then set the hardware address of the device. Let's take a look at line 1718 of the source code:

SC-> SC _vhid = carpr. carpr_vhid;
SC-> SC _ac.ac_enaddr [0] = 0;
SC-> SC _ac.ac_enaddr [1] = 0;
SC-> SC _ac.ac_enaddr [2] = 0x5e;
SC-> SC _ac.ac_enaddr [3] = 0;
SC-> SC _ac.ac_enaddr [4] = 1;
SC-> SC _ac.ac_enaddr [5] = SC-> SC _vhid;

The first five addresses of the above ac_enaddr indicate that the CARP protocol uses multicast addresses. The last address of the hardware address is the host number in the parameter, that is.

The host number in ifconfig is used to set the carp address.

The mekmitasdigoat parameter is processed in line 1 of the source code. bcopy (carpr. carpr_key, SC-> SC _key, sizeof (SC-> SC _key ));

Put the parameter (carpr_key, a member of the carpreq structure) to SC _key, a member of the carp_softc structure. The carp_softc structure is dedicated to interface devices.

Data structure. Each interface has a corresponding structure (for details, see "Ethernet universal driver source code explanation" written in xie_minix ).

The source code implementation will be described in detail. Now let's take a look at the length of SC _key, a member of carp_softc. source code line 127: unsigned char SC _key [CARP_KEY_LEN];

Here, CARP_KEY_LEN is defined in this article (that is, the carp. h header file). The length is 20. That is why the maximum length of the parameter is 20 characters. The above settings are only

Configure the backup machine. Use the following syntax to configure the master machine:

Ifconfig carp0 create

Ifconfig carp0 vhid 1 advskew 100 pass mekmitasdigoat 192.168.1.10 255.255.255.0

Of course, these statements are executed on another machine. The only difference is that the advskew 100 parameter is added, which is used to set the frequency at which the main machine sends an advertisement package (CARP ).



　

Block Diagram of the CARP protocol:

Bit Length | 0------45------7 | 8--------------1516------------2324------------31 |

Version-type virtual host id carp advertising time microsecond-level COUNTER + HMAC 32-bit length is the number of rows in line 3-9
Keep the CARP ad time second-level checksum
High 32-bit counter
64-bit low 32-bit counter
HASH Value of the MAC address of the Local Machine (Part 1)
HASH Value of the MAC address of the Local Machine (Part 2)
HASH Value of the local MAC address (part 3)
HASH Value of the MAC address of the Local Machine (part 4)
HASH Value of the MAC address of the Local Machine (Part 5)

In the following structure description.
1.1 mcbride 56: struct carp_header {/* the header of the CARP protocol. In fact, this Protocol only has the header */
57: # if BYTE_ORDER = LITTLE_ENDIAN/* Small Header byte order */
58: u_int8_t carp_type: 4,/* This member is only carried out in the carp_send_ad function (timed CARP advertising)
Fill in the CARP_ADVERTISEMENT constant. Other variables are useless. In fact, this member can be expanded later .*/
59: carp_version: 4;/* version number, that is, the CARP_VERSION constant is filled during sending and
The carp_input_c function (that is, the receiving package processing function) is used to determine whether the version of the CARP package sent by the other host is not CARP_VERSION.
This package will be discarded. Let's look at the original form: if (ch-> carp_version! = CARP_VERSION). This member must also be
Fill in the value */
60: # endif
61: # if BYTE_ORDER = BIG_ENDIAN
62: u_int8_t carp_version: 4,
63: carp_type: 4;
64: # endif
65: u_int8_t carp_vhid;/* virtual host ID */
66: u_int8_t carp_advskew;/* the millisecond-level value of the CARP advertisement. When the master and slave hosts are in the preemption mode
The value is the same as the value of the following advbase in seconds to determine which machine is the master and which is the master machine .*/
67: u_int8_t carp_authlen;/* The 32-bit length of counter + md, which can be viewed as 7.
The reason for not filling 7 directly is probably for future expansion. in the program, except for filling 7 During sending, It is not judged during receiving. It is a bit redundant at present */
68: u_int8_t carp_pad1;/* Reserved */
69: u_int8_t carp_advbase;/* second interval for issuing CARP advertisements, used with advskew above */
70: u_int16_t carp_cksum;/* checksum */
71: u_int32_t carp_counter [2];/* is actually a 64-bit long counter. It is somewhat similar to the IP number */
1.8 | mcbride 72: unsigned char carp_md [20];/* MAC address HASH with SHA1 */
1.4 avsm 73: }__ packed;/* The description is compact */
1.1 mcbride 74:
75: # define CARP_DFLTTL 255/* the TTL value of the IP package when the CARP is sent. Anyone who understands the IP protocol knows this.
When the TTL value passes through the router, It is reduced by 1. In the CARP receiving program, it determines whether the TTL value of the IP package is less than 255. If the TTL value is smaller than, it indicates that the load of the CARP
The IP package is from the Internet and is a suspicious package, Because CARP itself is based on the Intranet .*/
76:
77:/* carp_version */
78: # define CARP_VERSION 2/* CARP version */
79:
80:/* carp_type */
81: # define CARP_ADVERTISEMENT 0x01/* CARP package type. Note that only this type is available currently.
Expansion. For example, if encrypted filtering rules are added to the CARP firewall Redundancy System, the advantage is that the two openbsdks with CARP redundancy systems can be used randomly.
When one server fails, the other server automatically obtains the latest filter rules .*/
82:
83: # define CARP_KEY_LEN 20/* is used for the MAC address of a local CARP virtual device.
Length of the value generated after HASH. The member in carp_softc is represented as SC _key [CARP_KEY_LEN]. The filling of this value is generally initialized on the CARP device.
When the MAC address is hashed, it is filled in the 20-byte long area .*/
84:
85:/* carp_advbase */
86: # define CARP_DFLTINTV 1
87:
88 :/*
89: * statistical data.
90 :*/
91: struct carpstats {
1.6 mcbride 92: u_int64_t carps_ipackets;/* Number of incoming packets in IPV4 */
93: u_int64_t carps_ipackets6;/* Number of incoming packets in IPV6 */
94: u_int64_t carps_badif;/* If the interface of the received packet does not have CARP, add 1 */
95: u_int64_t carps_badttl;/* TTL is not CARP_DFLTTL, it is only 255 */
96: u_int64_t carps_hdrops;/* if the length of the mbuf is smaller than the IP header + the length of the CARP structure */
97: u_int64_t carps_badsum;/* checksum and Error */
98: u_int64_t carps_badver;/* incorrect version number */
99: u_int64_t carps_badlen;/* the IP address + CARP> group length is incorrect */
100: u_int64_t carps_badauth;/* the error HASH Content Length value, which should be 7 */
101: u_int64_t carps_badvhid;/* incorrect vm id */
102: u_int64_t carps_badaddrs;/* never used */
103:
104: u_int64_t carps_opackets;/* number of packets sent from IPV4 */
105: u_int64_t carps_opackets6;/* number of packets sent from IPV6 */
106: u_int64_t carps_onomem;/* failed to apply for memory when sending the CARP package */
107: u_int64_t carps_ostates;/* has never been used */
1.1 mcbride 108:
1.6 mcbride 109: u_int64_t carps_preempt;/* never used */
1.1 mcbride 110 :};
111:
112 :/*
113: * used for siocsvh siocgvh, that is, to set (obtain) parameters such as the ID and AD interval of the carp device of the machine
114 :*/
115: struct carpreq {/* this structure is used to place parameters transmitted from the user zone */
/* In the statement copyin (ifr-> ifr_data, & carpr, sizeof carpr), the data is copied from the user area to the structure of the core area (carpr is */
/* An instance of the carpreq structure). In subsequent programs, you must use each of its members to set the carp_softc attribute of the carp device */
116: int carpr_state;/* indicates the State to be changed when the user wants to set (during SIOCSVH */
/* If the native carp device is enabled and the status to be changed is the same as the existing status, nothing will be changed .*/
117: # define CARP_STATES "INIT", "BACKUP", "MASTER"
118: # define CARP_MAXSTATE 2
119: int carpr_vhid;
120: int carpr_advskew;
121: int carpr_advbase;
122: unsigned char carpr_key [CARP_KEY_LEN];
123 :};
124: # define SIOCSVH _ IOWR ('I', 245, struct ifreq)
125: # define SIOCGVH _ IOWR ('I', 246, struct ifreq)
126:
127 :/*
128: * Names for CARP sysctl objects
129 :*/
130: # define CARPCTL_ALLOW 1/* in the carp_input function, determine whether the CARP interface allows receiving CARP packets */
131: # define CARPCTL_PREEMPT 2/* preemption mode */
132: # define CARPCTL_LOG 3/* records the wrong package */
133: # define CARPCTL_ARPBALANCE 4/* balanced ARP response */
134: # define CARPCTL_MAXID 5
135:
136: # define CARPCTL_NAMES {\
137: {0, 0 },\
138: {"allow", CTLTYPE_INT },\
139: {"preempt", CTLTYPE_INT },\
140: {"log", CTLTYPE_INT },\
141: {"arpbalance", CTLTYPE_INT },\
142 :}
143:
144: # ifdef _ KERNEL/* indicates that the following function is used in the core. It is a global function */
145: void carp_ifdetach (struct ifnet *);/* uninstall the carp interface */
146: void carp_input (struct mbuf *,...);/* called by the ether_input function, a common Ethernet routine */
1.5 mcbride 147: void carp_carpdev_state (void *);/* the newly added function has not been viewed yet. It is estimated that it is used to view the status and statistics of the CARP virtual device */
1.2 mcbride 148: int carp6_input (struct mbuf **, int *, int);/* use IPV6 */
1.1 mcbride 149: int carp_output (struct ifnet *, struct mbuf *, struct sockaddr *,
150: struct rtentry *);
151: int carp_iamatch (void *, struct in_ifaddr *, struct in_addr *,
152: u_int8_t **);
1.2 mcbride 153: struct ifaddr * carp_iamatch6 (void *, struct in6_addr *);
154: void * carp_macmatch6 (void *, struct mbuf *, struct in6_addr *);
1.1 mcbride 155: struct ifnet * carp_forus (void *, void *);
156: int carp_sysctl (int *, u_int, void *, size_t *, void *, size_t );
157: # endif