Date: Thu, 24 May 2001 01:38:36 +0200
To: jetienne@xxxxxxxxxx
From: Alexandre Cassen <Alexandre.Cassen@xxxxxxxxxx>
Subject: [VRRP] IPSEC AH contrib to vrrpd
Cc: alanr@xxxxxxx;lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Hi,
I have just finish a modest contribution for vrrpd. I have added support
IPSEC AH
authentication using HMAC-MD5-96bits.
-----------------------------------------------------------------------------------------------------------------
The point to the modifications I made :
1. Adding IPSEC AH support according to the rfc2401, rfc2402 & rfc2104.
1.1. HMAC-MD5 using a 96bits truncated value so no padding needed in AH.
For the SPI, I have choosen the ip header src address as
discribed in the
internet draft : <draft-paridaens-xcast-sec-framework-01.txt> :
/* The SPI value is filled with the ip header source address.
SPI uniquely identify the Security Association (SA). This value
is chosen by the recipient itself when setting up the SA. In a
multicast environment, this becomes unfeasible.
If left to the sender, the choice of the SPI value should be done
so by the sender that it cannot possibly conflict with SPI values
chosen by other entities sending IPSEC traffic to any of the
receivers.
To overpass this problem, the rule I have chosen to implement
here is
that the SPI value chosen by the sender is based on unique
information
such as its IP address.
*/
1.2. Anti-replay have been done using a non cycling counter. In the
current
implementation cycled value is assumed if 0xFFFFFFFD reached. If
counter
have cycled in a MASTER state, daemon stop sending adverts and
become
BACKUP (If all the master are down, we reset the counter for
becoming MASTER).
=> more work needed here
2. Code some requested things in the TODO.
2.1. Added a dynamic buffer memory allocation for use in state_mast &
state_back.
2.2. Added incoming packet check integrity for a VRID : The ip addrs
associated with
a VRID must be the same as the ones present in the MASTER VRRP
advert.
2.3. Simple debugging function.
-----------------------------------------------------------------------------------------------------------------
I have right now no much time to enhance the vrrpd, I have put in my TODO
list for VRRP :
1. Adding return value for vrrp_in_chk() to catch errors when processing
incoming packets.
2. Synchronization between multiple VRRP instance. For example : if we
want to use VRRP
with a LVS director processing VS-NAT with 2 NIC (one assumed LAN,
other WAN), we
two vrrpd instance must be running. If one NIC crash down, the vrrpd
instance need to be
synchronized to run a coherant takeover.
3. Routing table retreive & restore using the nice libnetlink. If we use a
vrrpd with virtual MAC
address, to change MAC adresse of a specific NIC, interface need to
be shutted and upped.
The result of his process is a loosing routing table for that
specific NIC. So before shutting
down the interface, we need a retreiving function to save the rt that
we will restore after VMAC
attribution.
4. In he current vrrpd implementation, if a nasty sender send a malformed
vrrp packet, vrrpd can
be running in an inconsistent state (multiple MASTER sender). For
example : if we are using
IPSEC AH, if a sender try to flood VRRP sending malformed packets,
BACKUP will drop
them because bogus. If many drops are done, BACKUP will not receive a
good MASTER
advert in is timeout window. So BACKUP is timeout receiving MASTER
advert, then send
an advert for becoming MASTER. So the result is multiple MASTER in
the same VRID, that
cause a protocol corruption => black hole packet and DOS. So we need
to implement
something like a bogus packet timer, so the bogus packet will not
affect the BACKUP
receiving timer.
You can download the release I have incremented to 0.5 at :
http://keepalived.sourceforge.net
Any comments and points of vue will be very welcome.
Best regards,
Alexandre
