lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:	Sat, 14 Jun 2008 18:04:32 +0400
From:	Evgeniy Polyakov <johnpol@....mipt.ru>
To:	netdev@...r.kernel.org
Subject: CARP: Common Address Redundancy Protocol for Linux kernel release.

Hi.

This is not a new project, and it has number of pros and cons to be in
kernel, so I post a note about it here in case people are interested to
create high-avaliable systems with multiple machines.

CARP is an improved version of the Virtual Router Redundancy Protocol
(VRRP) standard. The latest protocol to help provide high availability
and network redundancy, it was developed because router giant Cisco
Systems believes that its Hot Standby Router Protocol (HSRP) patent
covers some of the same technical areas as VRRP.

CARP is cryptographically secure, since it uses hmac to protect its
content. It also does not have replay message attack vector which exists
in OpenBSD implementation (its practical application is questionable
though).

Main advantage over hearbeat-like approaches is ability to scale to
whatever you need number of nodes without needs for persitent connection
(wired, serial or whatever else) between them, the same media as for
data transfer is used (iirc heartbeat 2 does not have it problem?).
Advantage over userspace CARP solution (and heartbeat too) is ability to
control network device on behalf of which data is broadcasted (like
create persistent MAC address between nodes). Aliasing is not a solution
in multiple cases.

CARP configuation is pretty trivial:
$ tar -zxf carp_latest.tar.gz
$ cd carp
$ make

# insmod ip_carp.ko
# modprobe cn
# insmod carp_conn.ko
# ifconfig carp0 up
# carp_conn_daemon -m master.sh -b backup.sh

And the same on all other machines.
Each script as you got from its name is executed when node becomes
master or backup one, you can put there firewall rule changes, traffic
shaping setup, network daemon start/stop scripts and whatever you like.

CARP homepage:
http://tservice.net.ru/~s0mbre/old/?section=projects&item=carp

-- 
	Evgeniy Polyakov
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists