draft-ietf-vrrp-spec-00.txt   draft-ietf-vrrp-spec-01.txt 
INTERNET-DRAFT S. Knight INTERNET-DRAFT S. Knight
June 22, 1997 Ascend Communications, Inc. July 28, 1997 D. Weaver
D. Weaver
Ascend Communications, Inc. Ascend Communications, Inc.
D. Whipple D. Whipple
Microsoft, Inc. Microsoft, Inc.
R. Hinden R. Hinden
D. Mitzel
Ipsilon Networks, Inc. Ipsilon Networks, Inc.
Virtual Router Redundancy Protocol Virtual Router Redundancy Protocol
<draft-ietf-vrrp-spec-00.txt> <draft-ietf-vrrp-spec-01.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as ``work in progress.'' material or to cite them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet- Drafts "1id-abstracts.txt" listing contained in the Internet- Drafts Shadow
Shadow Directories on ds.internic.net (US East Coast), nic.nordu.net Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim). Rim).
This internet draft expires on December 23, 1997. This internet draft expires on January 29, 1998.
Abstract Abstract
The memo documents the Virtual Router Redundancy Protocol. This is a This memo defines the Virtual Router Redundancy Protocol (VRRP).
protocol which allows several routers to utilize the same virtual IP VRRP specifies an election protocol that dynamically assigns
address. One router will be elected as a master, with X routers responsibility for a virtual IP address to a single router among a
acting as backups in case of failure of the master router. The collection of VRRP routers. The VRRP router controlling the virtual
primary advantage to utilizing this protocol, is that host systems IP address is called the Master router, and forwards packets sent to
may be configured with a single default gateway, rather than running the virtual IP address. The election process provides dynamic fail
an active routing protocol. Each interface on each router within a over in the forwarding responsibility should the Master become
VRRP cluster, will be configured with a real IP address, and the unavailable. The virtual IP address can then be used as the default
virtual IP address for the particular cluster. Overall, this first hop router by end-hosts. The advantage gained from using the
protocol adds to the options for providing fault redundancy for VRRP virtual IP address is a higher availability default path without
router networks. requiring configuration of dynamic routing or router discovery
protocols on every end-host.
Table Of Contents This memo describes the features and theory of operation of VRRP.
The protocol processing and state machine that guarantee convergence
to a single Master router is presented. Also issues related to MAC
address mapping, handling ARP requests, generating ICMP redirects,
and security issues are addressed.
Table of Contents
1. Introduction...............................................3 1. Introduction...............................................3
2. Scope......................................................3 2. Scope......................................................4
3. Definitions................................................4 3. Definitions................................................6
4. Sample Configurations......................................4 4. Sample Configurations......................................8
4.1 Sample Configuration 1................................4 4.1 Sample Configuration 1................................8
4.2 Sample Configuration 2................................5 4.2 Sample Configuration 2................................9
5. Protocol...................................................6 5. Protocol..................................................10
5.1 VRRP Packet Format....................................6 5.1 VRRP Packet Format...................................10
5.2 IP Field Descriptions.................................6 5.2 IP Field Descriptions................................10
5.3 VRRP Field Descriptions...............................7 5.3 VRRP Field Descriptions..............................11
6. Protocol State Machine.....................................9 6. Protocol State Machine....................................14
6.1 Parameters..............................................9 6.1 Parameters.............................................14
6.2 Timers.................................................10 6.2 Timers.................................................14
6.3 State Transition Diagram..............................10 6.3 State Transition Diagram..............................15
6.4 State Descriptions....................................10 6.4 State Descriptions....................................15
6.5 State Table...........................................12 7. Sending and Receiving VRRP Packets........................18
7. Sending and Receiving VRRP Packets........................14 7.1 Receiving VRRP Packets................................18
7.1 Receiving VRRP Packets................................14 7.2 Transmitting Packets...................................18
7.2 Transmitting Packets...................................14 7.3 Virtual MAC Address....................................19
7.3 Virtual MAC Address....................................15 8. Host Operation............................................19
8. Host Operation............................................15 8.1 Host ARP Requests....................................19
8.1 Host ARP Requests....................................15 9. Operational Issues........................................19
9. Operational Issues........................................15 9.1 ICMP Redirects.........................................19
9.1 ICMP Redirects.........................................15 9.2 Proxy ARP..............................................19
9.2 Proxy ARP..............................................15 9.3 Network Management.....................................19
9.3 Network Management.....................................16 10. Operation over FDDI and Token Ring.......................20
10. Operation over Token Ring.................................16 11. Security Considerations...................................21
11. References................................................17 11.1 No Authentication.....................................21
12. Security Considerations...................................17 11.2 Simple Text Password..................................21
13. Authors' Addresses........................................17 11.3 IP Authentication Header..............................21
14. Acknowledgments...........................................17 12. References................................................23
15. Changes from Previous Drafts..............................18 13. Authors' Addresses........................................23
14. Acknowledgments...........................................24
15. Changes from Previous Drafts..............................25
1. Introduction 1. Introduction
The reason for the development of VRRP is to create a standard There are a number of methods that an end-host can use to determine
protocol, with multi-vendor support to resolve the problem of router its first hop router towards a particular IP destination. These
failure. Specifically, when a single router is utilized as a default include running (or snooping) a dynamic routing protocol such as
gateway, and all hosts are statically configured to this default Routing Information Protocol [RIP] or OSPF version 2 [OSPF], running
gateway, a failure is catastrophic. VRRP resolves this problem by an ICMP router discovery client [DISC] or using a statically
creating virtual clusters, where each cluster is configured with a configured default route.
set of member routers. Each member router is either a master router
for the cluster or a backup router for the cluster, but not both
simultaneously. In addition, there MUST only be a single master
router per cluster, at any given time. All member routers are
configured to be part of a cluster, with a given virtual IP address.
This virtual IP address is utilized as the default gateway on all of
the host systems. Given a failure on the current master router, the
next appropriate backup router will become the master router for the
given cluster. When routers are configured with the equal priority
the router which is master will stay master as long as it is up.
Of course this problem could be solved by running a standard routing Running a dynamic routing protocol on every end-host may be
protocol such as OSPF, RIP, or RIPv2 on the hosts. However, this is infeasible for a number of reasons, including administrative
not always feasible due to either security issues, when hosts are overhead, processing overhead, security issues, or lack of a protocol
multihomed, or in some cases implementations of these routing implementation for some platforms. Neighbor or router discovery
protocols simply do not exist. protocols may require active participation by all hosts on a network,
leading to large timer values to reduce protocol overhead in the face
of large numbers of hosts. This can result in a significant delay in
the detection of a lost (i.e., dead) neighbor, which may introduce
unacceptably long "black hole" periods.
The use of a statically configured default route is quite popular; it
minimizes configuration and processing overhead on the end-host and
is supported by virtually every IP implementation. This mode of
operation is likely to persist as dynamic host configuration
protocols [DHCP] are deployed, which typically provide configuration
for an end-host IP address and default gateway. However, this
creates a single point of failure. Loss of the default router
results in a catastrophic event, isolating all end-hosts that are
unable to detect any alternate path that may be available.
The Virtual Router Redundancy Protocol (VRRP) is designed to
eliminate the single point of failure inherent in the static default
routed environment. VRRP specifies an election protocol that
dynamically assigns responsibility for a virtual IP address to a
single router among a collection of VRRP routers. The VRRP router
controlling the virtual IP address is called the Master router, and
forwards packets sent to the virtual IP address. The election
process provides dynamic fail-over in the forwarding responsibility
should the Master become unavailable. The virtual IP address can
then be used as the default first hop router by end-hosts. The
advantage gained from using the VRRP virtual IP address is a higher
availability default path without requiring configuration of dynamic
routing or router discovery protocols on every end-host.
VRRP provides a function similar to a Cisco Systems, Inc. proprietary
protocol named Hot Standby Router Protocol (HSRP) [HSRP].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC 2119]. document are to be interpreted as described in [RFC 2119].
2. Scope 1.1 Scope
This memo describes the Virtual Router Redundancy Protocol. The remainder of this document describes the features, design goals,
and theory of operation of VRRP. The message formats, protocol
processing rules and state machine that guarantee convergence to a
single Master router are presented. Finally, operational issues
related to MAC address mapping, handling of ARP requests, generation
of ICMP redirect messages, and security issues are addressed.
This protocol is intended for IPv4 only. A version for IPv6 will be This protocol is intended for use with IPv4 routers only. A separate
defined in a separate specification. specification will be produced if it is decided that similar
functionality is desirable in an IPv6 environment.
Within the scope of this specification are: 1.2 Definitions
1. Packet format and header contents. Cluster The set of routers participating in VRRP to emulate a
2. State Diagrams and Descriptions virtual router.
3. Network Design Samples
Outside of the scope are Master Router The VRRP router controlling the virtual IP address
and assuming the responsibility of forwarding packets
sent to the virtual router.
1. Network management Backup Router The set of routers in the quiescent state with regard
2. Host internal optimizations to the virtual router operation. This set includes
all active VRRP routers within a cluster that are not
the Master router.
3. Definitions 2.0 Required Features
Cluster This section outlines the set of features that were considered
mandatory and that guided the design of VRRP.
Used to describe a set of routers who all have membership to the 2.1 Virtual IP Management
set of routers S, where S contains all routers configured with
the same virtual IP address.
Master Router Management of the virtual IP address is the primary function of the
virtual router protocol. While providing election of a Master router
and the additional functionality described below, the protocol should
strive to:
Used to describe the currently active router, for a particular - Minimize the duration of black holes.
cluster, with a particular virtual IP address. Their can only be - Minimize the steady state bandwidth overhead and processing
one master router in a particular cluster. complexity.
- Function over a wide variety of multiaccess LAN technologies
capable of supporting IP traffic.
- Provide for election of multiple virtual routers on a network for
load balancing or in support of multiple logical IP subnets on a
single LAN segment.
Backup Router 2.2 Preferred Path Indication
Used to describe a router which is configured to act as a backup A simple model of Master election among a set of redundant routers is
for a particular cluster. There can be several backup routers in to treat each router with equal preference and claim victory after
a single cluster. converging to any router as Master. However, there are likely to be
many environments where there is a distinct preference (or range of
preferences) among the set of redundant routers. For example, this
preference may be based upon access link cost or speed, router
performance or reliability, or other policy considerations. The
protocol should allow the expression of this relative path preference
in an intuitive manner, and guarantee Master convergence to the most
preferential router currently available.
2.3 Minimization of Unnecessary Service Disruptions
Once Master election has been performed then any unnecessary
transitions between Master and Backup routers can result in a
disruption in service. The protocol should ensure after Master
election that no state transition is triggered by any Backup router
of equal or lower preference as long as the Master continues to
function properly.
Some environments may find it beneficial to avoid the state
transition triggered when a router becomes available that is more
preferential than the current Master. It may be useful to support an
override of the immediate convergence to the preferred path.
2.4 Extensible Security
The virtual router functionality is applicable to a wide range of
internetworking environments that may employ different security
policies. The protocol should require minimal configuration and
overhead in the insecure operation, provide for strong authentication
when increased security is required, and allow integration of new
security mechanisms without breaking backwards compatible operation.
2.5 Efficient Operation over Extended LANs
Sending IP packets on a multiaccess LAN requires mapping from the
virtual IP address to a MAC address. The use of the virtual router
MAC address in an extended LAN employing learning bridges can have a
significant effect on the bandwidth overhead of packets sent to the
virtual router. If the virtual router MAC address is never used as
the source address in a link level frame then the station location is
never learned, resulting in flooding of all packets sent to the
virtual router. To improve the efficiency in this environment the
protocol should: 1) use the virtual router MAC as the source in a
packet sent by the Master to trigger station learning; 2) trigger a
message immediately after transitioning to Master to update the
station learning; and 3) trigger periodic messages from the Master to
maintain the station learning cache.
3.0 VRRP Overview
VRRP assumes that each router has a consistent set of routes. The
mechanism used to learn or configure this routing state and ensure
its consistency is beyond the scope of this specification.
VRRP specifies an election protocol to provide the virtual router
function described earlier. All protocol messaging is performed
using IP multicast datagrams, thus the protocol can operate over a
variety of multiaccess LAN technologies supporting IP multicast.
Each VRRP virtual router has a single well-known MAC address
allocated to it. This document currently only details the mapping to
networks using the IEEE 802 48-bit MAC address. The virtual router
MAC address is used as the source in all periodic messages sent by
the Master router to enable bridge learning in an extended LAN.
A virtual router is identified by its virtual IP address, and
associated with a VRRP cluster. The virtual IP address must not
match the real IP address of any host or the virtual IP address of
any other VRRP cluster on the LAN. Each VRRP router assigned to the
cluster must be configured with the same virtual IP address and must
have a real IP address with a prefix matching the virtual router
address. In addition, each VRRP router is assigned a priority to
indicate the preference for Master election. Multiple virtual
routers can be elected on a network by associating them with
different VRRP clusters, and a single router can participate in
multiple VRRP clusters by maintaining independent state machines for
each cluster.
To minimize network traffic, only the Master router sends periodic
Advertisement messages. A Backup router will not attempt to pre-empt
the Master unless it has higher priority. This eliminates service
disruption unless a more preferred path becomes available; it's also
possible to administratively prohibit all pre-emption attempts. If
the Master becomes unavailable then the highest priority Backup will
transition to Master after a short delay, providing a controlled
transition of the virtual router responsibility with minimal service
interruption.
VRRP defines three types of authentication providing simple
deployment in insecure environments, added protection against
misconfiguration, and strong sender authentication in security
conscious environments. Analysis of the protection provided and
vulnerability of each mechanism is deferred to Section 11.0 Security
Considerations. In addition new authentication types and data can be
defined in the future without affecting the format of the fixed
portion of the protocol packet, thus preserving backward compatible
operation.
The VRRP protocol design provides rapid transition from Backup to
Master to minimize service interruption, and incorporates
optimizations that reduce protocol complexity while guaranteeing
controlled Master transition for typical operational scenarios. The
optimizations result in an election protocol with minimal runtime
state requirements, minimal active protocol states, and a single
message type and sender. The typical operational scenarios are
defined to be two redundant routers in a VRRP cluster (i.e., a Master
and one Backup), and/or distinct path preferences among each router.
A side effect when these assumptions are violated (i.e., more than
two redundant paths all with equal preference) is that duplicate
packets may be forwarded for a brief period during Master election.
However, the typical scenario assumptions are likely to cover the
vast majority of deployments, loss of the Master router is
infrequent, and the expected duration in Master election convergence
is quite small ( << 1 second ). Thus the VRRP optimizations
represent significant simplifications in the protocol design while
incurring an insignificant probability of brief network degradation.
4. Sample Configurations 4. Sample Configurations
4.1 Sample Configuration 1 4.1 Sample Configuration 1
The following figure shows a simple VRRP network. The following figure shows a simple VRRP network.
+--------------------------+ +--------------------------+
| Cluster X | | Cluster X |
| | | |
| +-----+ +-----+ | | +-------+ +-------+ |
| | MRX | | BRX | | | | MRX | | BRX | |
| +-----+ +-----+ | | | | | | |
| |(P=200)| |(P=100)| |
| | | | | |
| +-------+ +-------+ |
Real IP 1 ---------->* *<---------- Real IP 2 Real IP 1 ---------->* *<---------- Real IP 2
| | * | | | | * | |
+-------------^------------+ +-------------^------------+
| | | | | |
-------------------+------|-----+-----+-------------+------ -------------------+------|-----+-----+-------------+------
| ^ ^ | ^ ^
Virtual IP --(VIPX)-+ (VIPX) (VIPX) Virtual IP --(VIPX)-+ (VIPX) (VIPX)
| | | |
+--+--+ +--+--+ +--+--+ +--+--+
| H1 | | H2 | | H1 | | H2 |
+-----+ +-----+ +-----+ +-----+
The above configuration shows the most likely utilization of the VRRP Legend:
protocol. In this configuration, the hosts simply point their default ---+---+---+-- = 802 network, Ethernet or FDDI
routes at the virtual IP address X (VIPX), and the routers run VRRP
between themselves. The router on the left is the default master
router (MRX), and the router on the right is the backup router (BRX).
Legend: ---+---+---+-- = 802 network, Ethernet or FDDI
H = Host computer H = Host computer
MR = Master Router MR = Master Router (Priority=200)
BR = Backup Router BR = Backup Router (Priority=100)
* = IP Address * = IP Address
VIP = default gateway for hosts (Virtual IP) VIP = default router for hosts (Virtual IP)
The above configuration shows a typical VRRP scenario. In this
configuration, the end-hosts install a default route to the virtual
IP address (VIPX), and the routers run VRRP to elect the Master
router. The router on the left (MRX) becomes the Master router
because it has the highest priority and the router on the right (BRX)
becomes the backup router.
4.2 Sample Configuration 2 4.2 Sample Configuration 2
The following figure shows a more interesting VRRP network. The following figure shows a configuration with two clusters.
+--------------------------+ +--------------------------+
| Cluster X and Cluster Y | | Cluster X and Cluster Y |
| | | |
| +-----+ +-----+ | | +-----+ +-----+ |
| | MRX | | BRX | | | | MRX | | BRX | |
| | & | | & | | | | & | | & | |
| | BRY | | MRY | | | | BRY | | MRY | |
| +-----+ +-----+ | | +-----+ +-----+ |
Real IP 1 ---------->* *<---------- Real IP 2 Real IP 1 ---------->* *<---------- Real IP 2
| | * * | | | | * * | |
+---------^------^---------+ +---------^------^---------+
| | | | | | | |
------------------+--|------|--+-----+--------+--------+--------+-- ------------------+--|------|--+-----+--------+--------+--------+--
| | ^ ^ ^ ^ | | ^ ^ ^ ^
Virtual IP --(VIPX)-+ | (VIPX) (VIPY) (VIPX) (VIPY) Virtual IP --(VIPX)-+ | (VIPX) (VIPX) (VIPY) (VIPY)
| | | | | | | | | |
Virtual IP --(VIPY)--------+ +--+--+ +--+--+ +--+--+ +--+--+ Virtual IP --(VIPY)--------+ +--+--+ +--+--+ +--+--+ +--+--+
| H1 | | H2 | | H3 | | H4 | | H1 | | H2 | | H3 | | H4 |
+-----+ +-----+ +--+--+ +--+--+ +-----+ +-----+ +--+--+ +--+--+
In the above configuration, half of the hosts point their default Legend:
gateway at cluster X's virtual IP address (VIPX), and half the hosts ---+---+---+-- = 802 network, Ethernet or FDDI
point their default gateway at cluster Y's virtual IP address (VIPY).
This has the effect of load balancing the outgoing traffic, while
also providing full redundancy.
Legend: ---+---+---+-- = 802 network, Ethernet or FDDI
H = Host computer H = Host computer
MR = Master Router MR = Master Router
BR = Backup Router BR = Backup Router
* = IP Address * = IP Address
VIP = default gateway for hosts (Virtual IP) VIP = default router for hosts (Virtual IP)
5. Protocol In the above configuration, half of the hosts install a default route
to cluster X's virtual IP address (VIPX), and the other half of the
hosts install a default route to cluster Y's virtual IP address
(VIPY). This has the effect of load balancing the outgoing traffic,
while also providing full redundancy.
The purpose of the VRRP packet is to communicate to all other VRRP 5.0 Protocol
routers both the priority and the state of the master's associated
interface. The purpose of the VRRP packet is to communicate to all VRRP routers
the priority and the state of the Master router associated with the
Virtual IP address.
VRRP packets are sent encapsulated in IP packets. They are sent to VRRP packets are sent encapsulated in IP packets. They are sent to
an IPv4 multicast address assigned for VRRP. an IPv4 multicast address assigned to VRRP.
5.1 VRRP Packet Format 5.1 VRRP Packet Format
This section defines the format of the VRRP packet and the relevant This section defines the format of the VRRP packet and the relevant
fields in the IP header. fields in the IP header.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 | Version | VRRP Cluster | Priority | Type | 0 | Version | VRRP Cluster | Priority | Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 | Auth Type | Adver Int | Checksum | 1 | Auth Type | Adver Int | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2 | Virtual IP address | 2 | Virtual IP address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3 | Authentication Data | 3 | Authentication Data |
+---------------------------------------------------------------+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 | | 4 | |
+---------------------------------------------------------------+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
5.2 IP Field Descriptions 5.2 IP Field Descriptions
5.2.1 Source Address 5.2.1 Source Address
The real IP address of the interface the packet is being sent from. The real IP address of the interface the packet is being sent from.
5.2.2 Destination Address 5.2.2 Destination Address
The VRRP IP multicast address assigned by the IANA. It is defined to The VRRP IP multicast address assigned by the IANA. It is defined to
be: be:
224.0.0.(TBD IANA assignment) 224.0.0.(TBD IANA assignment)
This is a link local scope multicast address. Routers should not This is a link local scope multicast address. Routers MUST NOT
forward a datagram with this destination address regardless of its forward a datagram with this destination address regardless of its
TTL. TTL.
5.2.3 TTL 5.2.3 TTL
The TTL should be set to 255. A VRRP router receiving a packet with The TTL MUST be set to 255. A VRRP router receiving a packet with
the TTL not equal to 255 MUST discard the packet. the TTL not equal to 255 MUST discard the packet.
5.2.4 Protocol 5.2.4 Protocol
The VRRP IP protocol number assigned by the IANA. It is defined to The VRRP IP protocol number assigned by the IANA. It is defined to
be (TBD). be (TBD).
5.3 VRRP Field Descriptions 5.3 VRRP Field Descriptions
5.3.1 Version 5.3.1 Version
The version field specifies the VRRP protocol version of this packet. The version field specifies the VRRP protocol version of this packet.
This document defines version 1. This document defines version 1.
5.3.2 VRRP Cluster 5.3.2 VRRP Cluster
The VRRP Cluster field specifies the cluster this packet applies to. The VRRP Cluster field specifies the cluster this packet applies to.
Note: The interface may participate in more than one VRRP cluster Note: The interface may participate in more than one VRRP cluster
simultaneously, perhaps serving as master in one cluster, while simultaneously, perhaps serving as Master in one cluster, while
simultaneously serving as backup in other clusters. simultaneously serving as backup in other clusters.
5.3.3 Priority 5.3.3 Priority
The priority field specifies the currently configured VRRP priority The priority field specifies the router's priority for the Virtual IP
value for this interface and cluster. Higher values equal higher address and cluster. Higher values equal higher priority. This
priority. This field is an 8 bit unsigned field, giving 1 as the field is an 8 bit unsigned field, giving 1 as the minimum priority,
minimum priority, and 255 as the maximum priority. The default and 255 as the maximum priority. The default priority is 100
priority is 100 (decimal). (decimal).
Priority value of zero (0) has a special meaning. It means that the The priority value zero (0) has special meaning indicating that the
current master had decided to stop running VRRP. This is used to current Master has stopped running VRRP. This is used to trigger
cause other backup routers to quickly become master with out having Backup routers to quickly transition to Master without having to wait
to timeout the current master. for the current Master to timeout.
In the event that two or more routers within a cluster have equal In the event that two or more routers within a cluster have equal
priority, and that priority is the highest priority in the cluster, priority, and that priority is the highest priority for the cluster,
initially the router with the higher real interface IP address initially the router with the higher real interface IP address
(interpreted as a 32 bit unsigned integer) will become master. Any (interpreted as a 32 bit unsigned integer) will become Master. Any
new router joining the cluster with the same priority will not become router joining the cluster with the same priority will not become
master even if it has a higher IP address unless the current master Master even if it has a higher IP address unless the current Master
goes down. goes down.
5.3.4 Type 5.3.4 Type
The type field specifies the type of this VRRP packet. The only The type field specifies the type of this VRRP packet. The only
packet type defined in this version of the protocol is: packet type defined in this version of the protocol is:
1 ADVERTISEMENT 1 ADVERTISEMENT
All other values are currently unknown, and if a packet is received A packet with unknown type MUST be discarded.
with a value not listed, it should be discarded.
5.3.5 Authentication Type 5.3.5 Authentication Type
The authentication type field identifies the authentication method The authentication type field identifies the authentication method
being utilized. The current supported authentications are listed being utilized. The authentication type field is an 8 bit number. A
below: packet with unknown authentication type or that does not match the
locally configured authentication method MUST be discarded.
0 - No authentication The authentication methods currently defined are:
1 - Simple text authentication
2 - IP Security Option Authentication
For simple text authentication any VRRP packet with an authentication 0 - No Authentication
string that does not match its configured authentication string 1 - Simple Text Password
should be discarded. 2 - IP Authentication Header
The authentication type field is an 8 bit number and must be one of 5.3.5.1 No Authentication
the above listed values.
5.3.5.1 IP Security Option Authentication The use of this authentication type means that VRRP protocol
exchanges are not authenticated. The contents of the Authentication
Data field should be set to zero on transmission and ignored on
reception.
When authentication is performed by using the IP Authentication 5.3.5.2 Simple Text Password
Header as specified in [AUTH], the Authentication type should be set
to "2". If packet is received with the Authentication type set to The use of this authentication type means that VRRP protocol
"2" indicating IP security option authentication and no exchanges are authenticated by a clear text password. The contents
authentication header is present in the packet, the packet should be of the Authentication Data field should be set to the locally
discarded. configured password on transmission. There is no default password.
The receiver MUST check that the Authentication Data in the packet
matches its configured authentication string. Packets that do not
match MUST be discarded.
5.3.5.3 IP Authentication Header
The use of this authentication type means the VRRP protocol exchanges
are authenticated using the mechanisms defined by the IP
Authentication Header [AUTH] using HMAC: Keyed-Hashing for Message
Authentication [HMAC]. Keys may be either configured manually or via
a key distribution protocol.
If a packet is received that does not pass the authentication check
due to a missing authentication header or incorrect message digest,
then the packet MUST be discarded. The contents of the
Authentication Data field should be set to zero on transmission and
ignored on reception.
5.3.6 Advertisement Interval (Adver Int) 5.3.6 Advertisement Interval (Adver Int)
This field is the time interval for Master to Send ADVERTISEMENTS. The Advertisement interval indicates the time interval (in seconds)
Default is 1 second. This field is used for troubleshooting between ADVERTISEMENTS. The default is 1 second. This field is used
misconfigured routers. for troubleshooting misconfigured routers.
5.3.7 Checksum 5.3.7 Checksum
The checksum field is used to detect data corruption in the VRRP The checksum field is used to detect data corruption in the VRRP
message. message.
The checksum is the 16-bit one's complement of the one's complement The checksum is the 16-bit one's complement of the one's complement
sum of the entire VRRP message starting with the version field. For sum of the entire VRRP message starting with the version field. For
computing the checksum, the checksum field is set to zero. computing the checksum, the checksum field is set to zero.
5.3.8 Virtual IP address 5.3.8 Virtual IP address
The virtual IP address field specifies the Virtual IP (VIP) address The virtual IP address field specifies the Virtual IP (VIP) address
associated with the particular cluster. This field is used for associated with the particular cluster. This field is used for
troubleshooting misconfigured routers. troubleshooting misconfigured routers.
The VIP should be an IP address assigned from the subnet that the The VIP MUST be an IP address assigned from the subnet that the
interface is attached. interface is attached and does not match any hosts real IP or cluster
VIP address.
5.3.9 Authentication Data 5.3.9 Authentication Data
The authentication string is currently utilized for simple text The authentication string is currently only utilized for simple text
authentication, similar to the simple text authentication found in authentication, similar to the simple text authentication found in
OSPF. It is up to 8 characters of plain text. If the configured the Open Shortest Path First routing protocol [OSPF]. It is up to 8
authentication string is shorter than 8 bytes, the remaining space characters of plain text. If the configured authentication string is
MUST be zero-filled. Any VRRP packet with an authentication string shorter than 8 bytes, the remaining space MUST be zero-filled. Any
that does not match its configured authentication string should be VRRP packet with an authentication string that does not match its
discarded. The authentication string is unique on a per cluster configured authentication string SHOULD be discarded. The
basis. authentication string is unique on a per interface basis.
There is no default value for this field.
6. Protocol State Machine 6. Protocol State Machine
6.1 Parameters 6.1 Parameters
Cluster_ID Cluster identifier. Configured item. Cluster_ID Cluster identifier. Configured item. There
is no default.
Priority Priority value for this cluster. Configured Priority Priority value for this cluster. Configured
item. Default is 100 (decimal). item. Range is between 1-255. Default is
100 (decimal).
Virtual_IP Virtual IP Address for this cluster. Virtual_IP Virtual IP Address for this cluster.
Configured item. Configured item.
Advertisement_Interval Time interval for Master to Send Advertisement_Interval Time interval between ADVERTISEMENTS in
ADVERTISEMENTS. Default is 1 second. seconds. Default is 1 second.
Skew_Time Calculated time to skew Skew_Time Calculated time to skew Master_Down_Interval
Master_Down_Interval. Defined to be: in seconds. Defined to be:
( (256 - Priority) / 256 ) ( (256 - Priority) / 256 )
Master_Down_Interval Time interval for Backup to declare Master Master_Down_Interval Time interval for Backup to declare Master
down. Defined to be: down in seconds. Defined to be:
(3 * Advertisement_Interval) + Skew_time (3 * Advertisement_Interval) + Skew_time
seconds. Preempt_Mode Configuration switch controlling whether a
higher priority VRRP router preempts a lower
priority VRRP Master. Values are True to
preempt and False to not preempt. Default
is True.
6.2 Timers 6.2 Timers
Master_Down_Timer Timer which fires when Master has not been Master_Down_Timer Timer that fires when ADVERTISEMENT has not
heard for Master_Down_Interval. been heard for Master_Down_Interval.
Adver_Timer Timer which fires when time to send next Adver_Timer Timer that fires to trigger sending of
ADVERTISEMENT based on ADVERTISEMENT based on
Advertisement_Interval. Advertisement_Interval.
6.3 State Transition Diagram 6.3 State Transition Diagram
+---------------+ +---------------+
| |<-------------+ | |<-------------+
+--------->| Initialize | | +--------->| Initialize | |
| | |----------+ | | | |----------+ |
| +---------------+ | | | +---------------+ | |
| | | | | |
| V | | V |
+---------------+ +---------------+ +---------------+ +---------------+
| |---------------------->| | | |---------------------->| |
| Master | | Backup | | Master | | Backup |
| |<----------------------| | | |<----------------------| |
+---------------+ +---------------+ +---------------+ +---------------+
6.4 State Descriptions 6.4 State Descriptions
In the below state descriptions, the state names will be identified In the state descriptions below, the state names are identified by
as follows {state-name}, and the packets will be identified by {state-name}, and the packets are identified by all upper case
utilizing all upper case characters. characters.
6.4.1 Initialize 6.4.1 Initialize
{Initialize} is the initial state an interface takes when VRRP is {Initialize} is the state a virtual router takes when VRRP is
enabled or disabled. The basic function of the state is to wait for inactive. The purpose of this state is to wait for a Startup event.
a startup event. When that is received it: If a Startup event is received, then:
- Set the Master_Down_Timer to Master_Down_Interval - Set the Master_Down_Timer to Master_Down_Interval
- Set state to {Backup} state.
- Transition to the {Backup} state
6.4.2 Backup 6.4.2 Backup
The main purpose of {Backup} state is for an interface to wait for The purpose of the {Backup} state is to monitor the availability and
the current master to stop sending ADVERTISEMENT packets. state of the Master Router.
While in this state, an interface should do the following: While in this state, an virtual router MUST do the following:
- Should not respond to ARP request for the interface VIP router - MUST NOT respond to ARP requests for the virtual router IP address
address
- Should discard packets with destination link layer MAC address - MUST discard packets with a destination link layer MAC address
equal to virtual router MAC. equal to the virtual router MAC address
- Should discard packets addressed to the interface VIP address. - MUST not accept packets addressed to the Virtual IP address
- If a Shutdown event is received, then:
- If Master_Down_Timer fires, Send ADVERTISEMENT, set Adver_Timer o Cancel the Master_Down_Timer
to Advertisement_Interval, and set state to {Master} state o Transition to the {Initialize} state
- If ADVERTISEMENT received, endif
If Priority of the received ADVERTISEMENT is Zero, then set - If the Master_Down_Timer fires, then:
Mater_Down_Timer to Skew_Time.
If Priority of the received ADVERTISEMENT is greater than o Send an ADVERTISEMENT
this interfaces Priority, then reset Master_Down_Timer. o Set the Adver_Timer to Advertisement_Interval
o Transition to the {Master} state
If Priority of the received ADVERTISEMENT is equal to this endif
interfaces Priority, then reset Master_Down_Timer.
If Priority of the received ADVERTISEMENT is lower than this - If an ADVERTISEMENT is received, then:
interfaces Priority, then discard ADVERTISEMENT.
If the Priority in the ADVERTISEMENT is Zero, then:
o Set the Master_Down_Timer to Skew_Time
else:
If Preempt_Mode is False, or If the Priority in the
ADVERTISEMENT is greater than or equal to the local
Priority, then:
o Reset the Master_Down_Timer to Master_Down_Interval
else:
o Discard the ADVERTISEMENT
endif
endif
endif
6.4.3 Master 6.4.3 Master
In {Master} state an interface is functioning as the actual physical While in the {Master} state the router functions as the physical
router for the virtual router IP and MAC address. router for the Virtual IP address.
While in this state, an interface should do the following: While in this state, a virtual router MUST do the following:
- Accept and forward traffic for the virtual router MAC address. - MUST respond to ARP requests for the VIP address with the virtual
router MAC address
- Must accept and forward packets with a destination link layer MAC
address equal to the virtual router MAC address
- Respond to ARP requests for the VIP address with the virtual router - Must accept packets addressed to the VIP address
MAC address.
- Respond to packets addressed to the VIP address. - If a Shutdown event is received, then:
- If Adver_Timer fires, send a ADVERTISEMENT and reset Adver_Timer. o Cancel the Adver_Timer
o Send an ADVERTISEMENT with Priority = 0
o Transition to the {Initialize} state
- If ADVERTISEMENT received, endif
If Priority of the received ADVERTISEMENT is higher than this - If the Adver_Timer fires, then:
interfaces Priority, then cancel Adver_Timer, Set
Master_Down_Timer, and set state to {Backup}.
If Priority of the received ADVERTISEMENT is equal to this o Send an ADVERTISEMENT
interfaces Priority, then: o Reset the Adver_Timer to Advertisement_Interval
If IP Address of sender of ADVERTISEMENT is higher than this endif
interfaces IP Address, then cancel Adver_Timer, Set
Master_Down_Timer, and set state to {Backup}.
If IP Address of sender of ADVERTISEMENT is lower than this - If an ADVERTISEMENT is received, then:
interfaces IP Address, discard ADVERTISEMENT.
If Priority of the received ADVERTISEMENT is lower than this If the Priority in the ADVERTISEMENT is Zero, then:
interfaces Priority, discard ADVERTISEMENT.
6.5 State Table o Send an ADVERTISEMENT
o Reset the Adver_Timer to Advertisement_Interval
+---------------+---------------+---------------+---------------+ else:
|Current State->| {Initialize} | {Backup} | {Master} |
| | | | | If the Priority in the ADVERTISEMENT is greater than the
| Event | | | | local Priority,
| | | | | | or
| V | | | | If the Priority in the ADVERTISEMENT is equal to the local
+---------------+---------------+---------------+---------------+ Priority and the IP Address of the sender is greater than
| | Set Master_ | | | the local IP Address, then:
| Startup | Down_Timer | | |
| | State = | | | o Cancel Adver_Timer
| | Backup | | | o Set Master_Down_Timer to Master_Down_Interval
+---------------+---------------+---------------+---------------+ o Transition to the {Backup} state
| | | Cancel Master_| Cancel Adver_ |
| Shutdown | Ignore | Down_Timer | Timer | else:
| | Event | State = | Send ADVER w/ |
| | | Initialize | Priority=0 | o Discard ADVERTISEMENT
| | | | State = Init. |
+---------------+---------------+---------------+---------------+ endif
| | | Send | | endif
| Master_Down_ | | ADVERTISEMENT| | endif
| Timer fires | | Set Adver_ | |
| | | Timer | |
| | | State = Master| |
+---------------+---------------+---------------+---------------+
| Adver_Timer | | | Send ADVER. |
| fires | | | Reset Adver_ |
| | | | Timer |
+---------------+---------------+---------------+---------------+
| Receive VRRP | | Set Master_ | Send ADVER. |
| ADVERTISEMENT | | Down_Timer= | Reset Adver_ |
| with Priority | | Skew_Timer | Timer |
| equal Zero | | | |
+---------------+---------------+---------------+---------------+
| Receive VRRP | | | Cancel Adver_ |
| ADVERTISEMENT | | Reset | Timer |
| with Higher | | Master_Down_ | Set Master__ |
| Priority | | Timer | Down_Timer |
| | | | State = Backup|
+---------------+---------------+---------------+---------------+
| Receive VRRP | | | Cancel Adver_ |
| ADVERTISEMENT | | Reset | Timer |
| with Equal | | Master_Down_ | Set Master__ |
| Priority | | Timer | Down_Timer |
| and Higher IP | | | State = Backup|
| Address | | | |
+---------------+---------------+---------------+---------------+
| Receive VRRP | | | |
| ADVERTISEMENT | | Reset | Discard |
| with Equal | | Master_Down | Packet |
| Priority | | Timer | |
| and Lower IP | | | |
| Address | | | |
+---------------+---------------+---------------+---------------+
| Receive VRRP | | | |
| ADVERTISEMENT | | Discard | Discard |
| with Lower | | Packet | Packet |
| Priority | | | |
+---------------+---------------+---------------+---------------+
| Receive ARP | | | Send ARP |
| Request for | | Discard | Reply w/ |
| VIP address | | Packet | VMAC |
+---------------+---------------+---------------+---------------+
| Receive IP | | | Process as |
| packet w/ | | | Normal IP |
| Destination | | | Packet sent |
| = VIP | | | to Router |
+---------------+---------------+---------------+---------------+
| Receive IP | | | Process and |
| packet w/ | | | Forward as |
| Dest. MAC | | | Normal IP |
| = VMAC | | | Packet |
+---------------+---------------+---------------+---------------+
| Unknown VRRP | | Discard | Discard |
| packet | | Packet | Packet |
+---------------+---------------+---------------+---------------+
7. Sending and Receiving VRRP Packets 7. Sending and Receiving VRRP Packets
7.1 Receiving VRRP Packets 7.1 Receiving VRRP Packets
The following rules must be performed when a VRRP packet is received: The following actions MUST be performed when a VRRP packet is
received:
- Verify TTL = 255. - Verify that the IP TTL is 255.
- Verify that received packet length is greater or equal to VRRP - Verify that the received packet length is greater than or equal
header length. to the VRRP header length
- Verify checksum in packet - Verify the VRRP checksum
- Verify version - Verify the VRRP version
- Verify Source address does not equal interface IP address - Perform authentication specified by Auth Type
- Verify Cluster identifier valid on received interface
- Perform indicated authentication If any one of the above checks fails, the receiver MUST discard the
- Verify VIP in packet is same as configured VIP for this cluster packet, SHOULD log the event and MAY indicate via network management
- Verify Adver Interval in packet is same as configured VIP for that an error occurred.
- Verify that the Cluster identifier and the VIP are valid on the
receiving interface
- Verify that the VIP in packet is same as the configured VIP for
this cluster this cluster
If one of these checks fails, the receiver should discard the packet, If any one of the above checks fails, the receiver MUST discard the
log the event and indicate via network management that an error packet.
occurred.
- Verify that the Adver Interval in the packet is the same as the
locally configured for this virtual router
If the above check fails, the receiver MUST discard the packet,
SHOULD log the event and MAY indicate via network management that an
error occurred.
7.2 Transmitting Packets 7.2 Transmitting Packets
The following operations must be performed prior to transmitting a The following operations MUST be performed prior to transmitting a
VRRP packet. VRRP packet.
- Fill in packet fields with appropriate interface and cluster - Fill in the VRRP packet fields with the appropriate virtual
information router configuration state
- Compute Checksum - Compute the VRRP checksum
- Set source MAC to Virtual MAC Address - Set the source MAC address to Virtual Router MAC Address
- Send to VRRP IP Multicast Group - Send the VRRP packet to the VRRP IP multicast group
Note: VRRP packets are transmitted with the Virtual MAC address as Note: VRRP packets are transmitted with the virtual MAC address as
the source MAC to ensure that learning bridges correctly determine the source MAC address to ensure that learning bridges correctly
the LAN segment the virtual MAC is attached to. determine the LAN segment the virtual router is attached to.
7.3 Virtual MAC Address 7.3 Virtual Router MAC Address
The default virtual MAC address associated with the virtual IP The virtual router MAC address associated with a virtual router is an
address is a IEEE 802 MAC Address of the following format: IEEE 802 MAC Address in the following format:
00-00-5E-XX-XX-{cluster id} (in hex in internet standard bit-order) 00-00-5E-XX-XX-{cluster id} (in hex in internet standard bit-order)
The first three octets are the IANA's OUI. The next two octets (to The first three octets are derived from the IANA's OUI. The next two
be assigned by the IANA) indicate the address address block assigned octets (to be assigned by the IANA) indicate the address block
to the VRRP protocol. {cluster id} in the last octet is the VRRP assigned to the VRRP protocol. {cluster id} is the VRRP cluster
cluster identifier. This mapping allows for up to 255 VRRP clusters identifier. This mapping provides for up to 255 VRRP clusters on a
per interface. network.
Implementations may also allow Virtual MAC addresses to be configured
for each cluster.
8. Host Operation 8. Host Operation
8.1 Host ARP Requests 8.1 Host ARP Requests
When a client sends a ARP request for the virtual IP address, the When a host sends an ARP request for the virtual IP address, the
appropriate master router should respond to the ARP request with the Master router MUST respond to the ARP request with the virtual MAC
above virtual MAC address for the appropriate cluster. This allows address for the virtual router. This allows the client to always use
the client to always use the same MAC address regardless of the the same MAC address regardless of the current Master router. The
current master router. The request should be handled as a standard request MUST be handled as a standard ARP reply.
ARP reply.
9. Operational Issues 9. Operational Issues
9.1 ICMP Redirects 9.1 ICMP Redirects
VRRP operation relies on the client host only using the Virtual IP VRRP operation relies on hosts only using the Virtual IP address. It
address and corresponding Virutal MAC. It is important that client is important that client hosts do not learn the real IP address of
hosts do not learn the real IP address of VRRP routers on LAN any VRRP router on the LAN segment. Consequently VRRP routers MUST
segment. Consequentially routers on the same LAN segment MUST NOT NOT send ICMP Redirects on any interface they are running VRRP on.
send ICMP Redirects with the real IP address of any VRRP routers.
9.2 Proxy ARP 9.2 Proxy ARP
If Proxy ARP is being used on routers running VRRP, the VRRP routers If Proxy ARP is to be used on a router running VRRP, then the VRRP
must advertise the Virtual MAC address in the Proxy ARP message. router must advertise the Virtual Router MAC address in the Proxy ARP
Doing otherwise would cause them to learn the real IP address of the message. Doing otherwise could cause hosts to learn the real IP
VRRP routers. address of the VRRP routers.
9.3 Network Management 9.3 Network Management
It is important that network management tools (e.g., SNMP, Telnet, It is important that network management tools (e.g., SNMP, Telnet,
etc.) always use the real IP addresses of VRRP routers. This is etc.) always use the real IP addresses of a VRRP router. This
necessary to insure that network management is aware of the real ensures that network management is aware of the status of the real
status of the VRRP routers (e.g., detect that a router has failed so routers (e.g., to detect that a router has failed so that it can be
that it can be repaired). repaired).
10. Operation over Token Ring 10. Operation over FDDI and Token Ring
TBD 10.1 Operation over FDDI
11. References FDDI interfaces strip from the FDDI ring frames that have a source
MAC address matching the device's hardware address. Under some
conditions, such as router isolations, ring failures, protocol
transitions, etc., VRRP may cause there to be more than one Master
router. If a Master router installs the virtual router MAC address
as the hardware address on a FDDI device, then other Masters'
ADVERTISEMENTS will be stripped off the ring during the Master
convergence, and convergence will fail.
[AUTH] Atkinson, R., "IP Authentication Header", RFC 1826, Naval To avoid this an implementations SHOULD configure the virtual router
Research Laboratory, August 1995. MAC address by adding a unicast MAC filter in the FDDI device, rather
than changing its hardware MAC address. This will prevent a Master
router from stripping any ADVERTISEMENTS it did not originate.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 10.2 Operation over Token Ring
Requirement Levels", RFC2119, BCP14, March 1997.
12. Security Considerations Token Ring has several characteristics which make running VRRP
problematic. This includes:
The protocol design supports no authentication, simple text - No general multicast mechanism. Required use of "functional
authentication, and integrity/authentication/integrity using the IP addresses" as a substitute, which may collide with other usage of
Security options. the same "functional addresses".
- Token Ring interfaces may have a limited ability to receive on
multiple MAC addresses.
- In order to switch to a new master located on a different physical
ring from the previous master when using source route bridges, a
mechanism is required to update cached source route information.
Due the these issues and the limited knowledge about the detailed
operation of Token Ring by the authors, this version of VRRP does not
work over Token Ring networks. This may be remedied in new version
of this document, or in a separate document.
11. Security Considerations
VRRP is designed for a range of internetworking environments that may
employ different security policies. The protocol includes several
authentication methods ranging from no authentication, simple clear
text passwords, and strong authentication using IP Authentication
with HMAC. The details on each approach including possible attacks
and recommended environments follows.
Independent of any authentication type VRRP includes a mechanism
(setting TTL=255, checking on receipt) that protects against VRRP
packets being injected from another remote network. This limits most
vulnerabilities to local attacks.
11.1 No Authentication
The use of this authentication type means that VRRP protocol
exchanges are not authenticated. This type of authentication SHOULD
only be used in environments were there is minimal security risk and
little chance for configuration errors (e.g., two VRRP routers in a
single cluster on a link).
11.2 Simple Text Password
The use of this authentication type means that VRRP protocol
exchanges are authenticated by a simple clear text password.
This type of authentication is useful to protect against accidental
misconfiguration of routers on a link. It protects against routers
inadvertently becoming a member of a VRRP cluster. A new router must
first be configured with the correct password before it can become a
member of the VRRP cluster. This type of authentication does not
protect against hostile attacks where the password can be learned by
a node snooping VRRP packets on the link. The Simple Text
Authentication combined with the TTL check makes it difficult for a
VRRP packet to be sent from another link to disrupt VRRP operation.
This type of authentication is RECOMMENDED when there is minimal risk
of nodes on the link actively disrupting VRRP operation.
11.3 IP Authentication Header
The use of this authentication type means the VRRP protocol exchanges
are authenticated using the mechanisms defined by the IP
Authentication Header [AUTH] using HMAC: Keyed-Hashing for Message
Authentication [HMAC]. This provides strong protection against
configuration errors, replay attacks, and packet
corruption/modification.
This type of authentication is RECOMMENDED when there is limited
control over the administration of nodes on the link. While this
type of authentication does protect the operation of VRRP, there are
other types of attacks that may be employed on shared media links
(e.g., generation of bogus ARP replies) which are independent from
VRRP and are not protected.
12. References
[AUTH] Atkinson, R., "IP Authentication Header", RFC-1826, August
1995.
[DISC] Deering, S., "ICMP Router Discovery Messages", RFC-1256,
September 1991.
[DHCP] Droms, R., "Dynamic Host Configuration Protocol", RFC-1541,
October 1993.
[HMAC] Krawczyk, H., M. Bellare, R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC-2104, February 1997.
[HSRP] Li, T., B. Cole, P. Morton, D. Li, "Hot Standby Router
Protocol (HSRP)", Internet Draft, <draft-li-hsrp-00.txt>,
June 1997.
[OSPF] Moy, J., "OSPF version 2", RFC-1583, July 1997.
[RIP] Hedrick, C., "Routing Information Protocol" , RFC-1058,
June 1988.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC-2119, BCP14, March 1997.
13. Author's Addresses 13. Author's Addresses
Steven Knight Phone: +1 612 943-8990 Steven Knight Phone: +1 612 943-8990
Ascend Communications EMail: Steven.Knight@ascend.com Ascend Communications EMail: Steven.Knight@ascend.com
High Performance Network Division High Performance Network Division
10250 Valley View Road, Suite 113 10250 Valley View Road, Suite 113
Eden Prairie, MN USA 55344 Eden Prairie, MN USA 55344
USA
Douglas Weaver Phone: +1 612 943-8990 Douglas Weaver Phone: +1 612 943-8990
Ascend Communications EMail: Doug.Weaver@ascend.com Ascend Communications EMail: Doug.Weaver@ascend.com
High Performance Network Division High Performance Network Division
10250 Valley View Road, Suite 113 10250 Valley View Road, Suite 113
Eden Prairie, MN USA 55344 Eden Prairie, MN USA 55344
USA
David Whipple Phone: +1 206 703-3876 David Whipple Phone: +1 206 703-3876
Microsoft Corporation EMail: dwhipple@microsoft.com Microsoft Corporation EMail: dwhipple@microsoft.com
One Microsoft Way One Microsoft Way
Redmond, WA USA 98052-6399 Redmond, WA USA 98052-6399
USA
Robert Hinden Phone: +1 408 990-2004 Robert Hinden Phone: +1 408 990-2004
Ipsilon Networks, Inc. EMail: hinden@ipsilon.com Ipsilon Networks, Inc. EMail: hinden@ipsilon.com
232 Java Drive 232 Java Drive
Sunnyvale, CA 94089 Sunnyvale, CA 94089
USA
Danny Mitzel Phone: +1 408 990-2037
Ipsilon Networks, Inc. EMail: mitzel@ipsilon.com
232 Java Drive
Sunnyvale, CA 94089
USA
14. Acknowledgments 14. Acknowledgments
The authors would like to thank Glen Zorn, and Michael Lane, Clark The authors would like to thank Glen Zorn, and Michael Lane, Clark
Bremer, Hal Peterson, Danny Mitzel, and Peter Hunt for their comments Bremer, Hal Peterson, Peter Hunt, Tony Li, Barbara Denny, and Steve
and suggestions. Bellovin for their comments and suggestions.
15. Changes from Previous Drafts 15. Changes from Previous Drafts
Changes from <draft-ietf-vrrp-spec-00.txt>
- Added Preempt_Mode to allow user control over preemption
independent of configured priorities.
- Rewrote authentication section and expanded security
considerations.
- Expanded State Description section and removed State Table which
become redundant and impossible to edit.
- Changed authentication to be on a per interface basis (not per
cluster).
- Clarified text on disabling ICMP Redirects.
- Added text on FDDI and Token Ring issues.
- Added HSRP acknowledgment.
- Rewrote Introduction, Required Features, and VRRP Overview
sections.
- Many small text clarifications.
Changes from <draft-hinden-vrrp-00.txt> Changes from <draft-hinden-vrrp-00.txt>
- Changed default behavior to stay with current master when - Changed default behavior to stay with current master when
priorities are equal. This behavior can be changed by configuring priorities are equal. This behavior can be changed by configuring
explicit priorities. explicit priorities.
- Changed Master state behavior to not send Advertisements when - Changed Master state behavior to not send Advertisements when
receiving Advertisement with lower priorty. Change reduces worst receiving Advertisement with lower priority. Change reduces worst
case election message overhead to "n", where "n" is number of case election message overhead to "n", where "n" is number of
configured equal priority VRRP routers. configured equal priority VRRP routers.
- Added Skew_Time parameter and changed receiving advertisement with - Added Skew_Time parameter and changed receiving advertisement with
zero priority behavior to cause resulting advertisement sent to be zero priority behavior to cause resulting advertisement sent to be
skewed by priority. skewed by priority.
- Changed sending behavior to send VRRP packets with VMAC as source - Changed sending behavior to send VRRP packets with VMAC as source
MAC and added text describing why this is important for bridged MAC and added text describing why this is important for bridged
environments. environments.
- Changed definition of VMAC to be in IANA assigned unicast MAC - Changed definition of VMAC to be in IANA assigned unicast MAC
block. block.
- Added Advertisement Interval to VRRP header. - Added Advertisement Interval to VRRP header.
- Added text regarding ICMP Redirects, Proxy ARP, and network - Added text regarding ICMP Redirects, Proxy ARP, and network
management issues. management issues.
- Various small text clarifications. - Various small text clarifications.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/