Common Address Redundancy Protocol
Encyclopedia
The Common Address Redundancy Protocol or CARP is a protocol which allows multiple hosts on the same local network to share a set of IP addresses. Its primary purpose is to provide failover
redundancy, especially when used with firewalls and routers. In some configurations CARP can also provide load balancing
functionality. It is a free, non patent-encumbered alternative to Cisco's HSRP. CARP is mostly implemented in BSD operating systems.
is used to synchronize packet filter states.
A common use of CARP is the creation of a group of redundant firewalls. The virtual IP address allotted to the group of redundancy is indicated as the address of the default router on the computers behind this group of firewalls. If the main firewall breaks down or is disconnected from the network, the virtual IP address will be taken by one of the firewall slaves and the service availability will not be interrupted.
informed them that this was already covered by Cisco patents. In 1998, Cisco told them it was covered by their patent of HSRP (Hot Standby Router Protocol). Nonetheless, IETF continued work on VRRP (Virtual Router Redundancy Protocol). After some debate, people decided it was OK to allow patented material in a standard, as long as it was available under RAND
(Reasonable and Non-Discriminatory) Licensing terms. Because VRRP fixed problems with the HSRP protocol, Cisco began using VRRP instead, while still claiming it as its own.
Cisco informed the OpenBSD
developers they would enforce their patent of HSRP. This may have been related to their lawsuit with Alcatel. Thus, a free implementation of VRRP could not be made. OpenBSD developers started CARP as an alternative to the patented VRRP, as the "reasonable and non-discriminatory" licensing terms necessarily excluded open-source implementations. To avoid infringing the HSRP patent, they ensured their idea for CARP was fundamentally different. Because of OpenBSD's focus on security, CARP was designed with security in mind, and is designed to use cryptography
. It became available, completely for free, in October 2003. It was integrated into FreeBSD
and released initially with FreeBSD 5.4 in May 2005. It has since been integrated into NetBSD
.
IP protocol numbers at the time when the above request was made were allocated by IANA according to the rules in RFC 2780, i.e., under the "IESG Approval" or "Standards Action" process (with "Expert Review" being a third option that was not applicable to this request). Both of these processes require a textual specification describing the protocol for which a protocol number is requested, which did not exist for CARP. The OpenBSD implementation is the closest thing to a formal specification of the protocol, but source code - especially source code licensed under specific terms - is not the same as a textual technical specification. No technical specification was submitted for CARP, and IANA declined the request.
The incompatible Cisco/IETF VRRP also uses IP protocol 112, having been assigned it by IANA.
Failover
In computing, failover is automatic switching to a redundant or standby computer server, system, or network upon the failure or abnormal termination of the previously active application, server, system, or network...
redundancy, especially when used with firewalls and routers. In some configurations CARP can also provide load balancing
Load balancing (computing)
Load balancing is a computer networking methodology to distribute workload across multiple computers or a computer cluster, network links, central processing units, disk drives, or other resources, to achieve optimal resource utilization, maximize throughput, minimize response time, and avoid...
functionality. It is a free, non patent-encumbered alternative to Cisco's HSRP. CARP is mostly implemented in BSD operating systems.
Example
If there is a single computer running a packet filter, and it goes down, the networks on either side of the packet filter can no longer communicate with each other, or they communicate without any packet filtering. If, however, there are two computers running a packet filter, running CARP, then if one fails, the other will take over, and computers on either side of the packet filter will not be aware of the failure, so operation will continue as normal. In order to make sure the new master operates the same as the old one, pfsyncdPfsyncd
pfsync is a network interface that helps a number of computers running OpenBSD's pf keep their state tables the same. pfsync can send messages indicating changes, or listen for such changes. pfsync can be configured using ifconfig...
is used to synchronize packet filter states.
Principle of redundancy
A group of hosts using CARP is called a "group of redundancy". The group of redundancy allocates itself an IP address which is shared or divided among the members of the group. Within this group, a host is designated as "Master". The other members are called "slaves". The main host is that which "takes" the IP address. It answers any traffic or ARP request brought to the attention of this address. Each host can belong to several groups of redundancy. Each host must have a second unique IP address.A common use of CARP is the creation of a group of redundant firewalls. The virtual IP address allotted to the group of redundancy is indicated as the address of the default router on the computers behind this group of firewalls. If the main firewall breaks down or is disconnected from the network, the virtual IP address will be taken by one of the firewall slaves and the service availability will not be interrupted.
History
In the late 1990s IETF began working on a solution to the problem of shared IPs. In 1997, CiscoCisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
informed them that this was already covered by Cisco patents. In 1998, Cisco told them it was covered by their patent of HSRP (Hot Standby Router Protocol). Nonetheless, IETF continued work on VRRP (Virtual Router Redundancy Protocol). After some debate, people decided it was OK to allow patented material in a standard, as long as it was available under RAND
Reasonable and Non Discriminatory Licensing
Reasonable and non-discriminatory licensing is a type of licensing typically used during standardization processes. When joining a standardization body, companies normally agree that if they receive any patents on technologies which become essential to the standard they agree to allow other...
(Reasonable and Non-Discriminatory) Licensing terms. Because VRRP fixed problems with the HSRP protocol, Cisco began using VRRP instead, while still claiming it as its own.
Cisco informed the OpenBSD
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
developers they would enforce their patent of HSRP. This may have been related to their lawsuit with Alcatel. Thus, a free implementation of VRRP could not be made. OpenBSD developers started CARP as an alternative to the patented VRRP, as the "reasonable and non-discriminatory" licensing terms necessarily excluded open-source implementations. To avoid infringing the HSRP patent, they ensured their idea for CARP was fundamentally different. Because of OpenBSD's focus on security, CARP was designed with security in mind, and is designed to use cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
. It became available, completely for free, in October 2003. It was integrated into FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
and released initially with FreeBSD 5.4 in May 2005. It has since been integrated into NetBSD
NetBSD
NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
.
No official internet protocol number
From OpenBSD.org:
As a final note of course, when we petitioned IANAInternet Assigned Numbers AuthorityThe Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
, the
IETF body regulating "official" internet protocol numbers,
to give us numbers for CARP and pfsync our request was denied.
Apparently we had failed to go through an official standards
organization. Consequently we were forced to choose a protocol
number which would not conflict with anything else of value,
and decided to place CARP at IP protocol 112. We also placed
pfsync at an open and unused number. We informed IANA of these
decisions, but they declined to reply.
IP protocol numbers at the time when the above request was made were allocated by IANA according to the rules in RFC 2780, i.e., under the "IESG Approval" or "Standards Action" process (with "Expert Review" being a third option that was not applicable to this request). Both of these processes require a textual specification describing the protocol for which a protocol number is requested, which did not exist for CARP. The OpenBSD implementation is the closest thing to a formal specification of the protocol, but source code - especially source code licensed under specific terms - is not the same as a textual technical specification. No technical specification was submitted for CARP, and IANA declined the request.
The incompatible Cisco/IETF VRRP also uses IP protocol 112, having been assigned it by IANA.
See also
- OpenBSDOpenBSDOpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
- FreeBSDFreeBSDFreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
- Gateway Load Balancing Protocol (GLBP)Gateway Load Balancing ProtocolGateway Load Balancing Protocol is a Cisco proprietary protocol that attempts to overcome the limitations of existing redundant router protocols by adding basic load balancing functionality....
- HSRP
- pfsyncPfsyncPfsync is a computer protocol used to synchronize firewall states between machines running Packet Filter for High Availability. It's used along with CARP to make sure a backup firewall has the same information as the main firewall...
- VRRP
- IPMPIPMPThe IP network multipathing or IPMP is a facility provided by Solaris to provide fault-tolerance and load spreading for network interface cards . With IPMP, two or more NICs are dedicated for each network to which the host connects. Each interface is assigned a static "test" IP address, which is...