Common Address Redundancy Protocol
The Common Address Redundancy Protocol ( CARP ) is a network protocol that can be used to increase the availability of IP systems. This is achieved in that several computers within a local network can use the same virtual IP / MAC addresses for communication with other systems. The main area of application of CARP is the creation of highly available gateways ( router / firewall ); With CARP, however, application servers can also be made highly available. In the internet protocol family , it is protocol number 112.
CARP was developed by the OpenBSD team. The development was necessary because (for patent reasons) it is not possible to use VRRP as part of an open source project . This made it necessary to write a separate protocol. In addition, fundamental errors in the VRRP and HSRP could be avoided in this way . The first version of OpenBSD to incorporate CARP was version 3.5.
In the meantime, CARP has also been ported to other platforms. A free userland port is UCARP (currently available for Linux 2.4 / 2.6, OpenBSD and NetBSD ). Kernel implementations exist for DragonFly BSD , FreeBSD and NetBSD .
Differentiation from VRRP
The basic task and functionality of CARP is similar to VRRP. But there are some fundamental differences:
- The most important advantage of CARP is that, unlike VRRP, anyone can use it without a patent .
- A fundamental difference to VRRP is the protocol-independent working method of CARP. This means that CARP can be used for IPv4 and IPv6 .
- In addition, great importance was attached to security in the development of CARP; for example, the messages exchanged between the cluster computers are in principle cryptographically signed with SHA-1 or HMAC .
- CARP uses a feature called arpbalance . All computers use the same virtual IP address, but each computer still has its own virtual MAC address. This enables load distribution between the computers. So far, this feature only works under OpenBSD and FreeBSD up to version 9.3, userland CARP (UCARP) implements this function for other platforms, e.g. B. Linux not yet.
functionality
To use CARP, you need at least two systems that perform the same task and are in the same subnet . These systems each have a unique IP and MAC address and form a cluster. In addition, this cluster is now assigned a virtual IP and MAC address. The cluster communicates with other systems via this virtual IP / MAC. For this to work, a cluster computer becomes the master and the other slaves, with the master taking over communication with the outside world. Each cluster member uses the CARP protocol to ensure that the other machines are still working. If the master fails, one of the slaves takes over both the virtual MAC address and the virtual IP address.
CARP is particularly interesting in connection with highly available firewalls. It is also necessary to synchronize the status tables in order to prevent loss of connections if the active cluster computer fails. When combining OpenBSD / pf , pfsync is used for this purpose; under Linux / Netfilter this function can be implemented with conntrackd.
Web links
- Man page entry Description of the original OpenBSD implementation
- https://ucarp.wordpress.com/
- Firewall failover with pfsync and CARP ( OpenBSD )
Individual evidence
- ^ Carp (4). Retrieved October 8, 2018 .
- ↑ FreeBSD 10.0-RELEASE Release Notes. Retrieved October 8, 2018 .