draft-ietf-vrrp-spec-01.txt   draft-ietf-vrrp-spec-02.txt 
INTERNET-DRAFT S. Knight INTERNET-DRAFT S. Knight
July 28, 1997 D. Weaver October 12, 1997 D. Weaver
Ascend Communications, Inc. Ascend Communications, Inc.
D. Whipple D. Whipple
Microsoft, Inc. Microsoft, Inc.
R. Hinden R. Hinden
D. Mitzel D. Mitzel
P. Hunt
Ipsilon Networks, Inc. Ipsilon Networks, Inc.
P. Higginson
M. Shand
Digital Equipment Corp.
Virtual Router Redundancy Protocol Virtual Router Redundancy Protocol
<draft-ietf-vrrp-spec-01.txt> <draft-ietf-vrrp-spec-02.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
To learn the current status of any Internet-Draft, please check the To learn the current status of any Internet-Draft, please check the
"1id-abstracts.txt" listing contained in the Internet- Drafts Shadow "1id-abstracts.txt" listing contained in the Internet- Drafts Shadow
Directories on ds.internic.net (US East Coast), nic.nordu.net Directories on ds.internic.net (US East Coast), nic.nordu.net
(Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific (Europe), ftp.isi.edu (US West Coast), or munnari.oz.au (Pacific
Rim). Rim).
This internet draft expires on January 29, 1998. This internet draft expires on April 12, 1998.
Abstract Abstract
This memo defines the Virtual Router Redundancy Protocol (VRRP). This memo defines the Virtual Router Redundancy Protocol (VRRP).
VRRP specifies an election protocol that dynamically assigns VRRP specifies an election protocol that dynamically allows a set of
responsibility for a virtual IP address to a single router among a routers running VRRP to backup each other on a LAN. The VRRP router
collection of VRRP routers. The VRRP router controlling the virtual controlling one or more IP addresses is called the Master router, and
IP address is called the Master router, and forwards packets sent to forwards packets sent to these IP addresses. The election process
the virtual IP address. The election process provides dynamic fail provides dynamic fail over in the forwarding responsibility should
over in the forwarding responsibility should the Master become the Master become unavailable. This allows any of the VRRP routers
unavailable. The virtual IP address can then be used as the default IP addresses on the LAN to be used as the default first hop router by
first hop router by end-hosts. The advantage gained from using the end-hosts. The advantage gained from using the VRRP is a higher
VRRP virtual IP address is a higher availability default path without availability default path without requiring configuration of dynamic
requiring configuration of dynamic routing or router discovery routing or router discovery protocols on every end-host.
protocols on every end-host.
This memo describes the features and theory of operation of VRRP.
The protocol processing and state machine that guarantee convergence
to a single Master router is presented. Also issues related to MAC
address mapping, handling ARP requests, generating ICMP redirects,
and security issues are addressed.
Table of Contents Table of Contents
1. Introduction...............................................3 1. Introduction...............................................3
2. Scope......................................................4 2. Required Features..........................................5
3. Definitions................................................6 3. VRRP Overview..............................................6
4. Sample Configurations......................................8 4. Sample Configurations......................................8
4.1 Sample Configuration 1................................8
4.2 Sample Configuration 2................................9
5. Protocol..................................................10 5. Protocol..................................................10
5.1 VRRP Packet Format...................................10 5.1 VRRP Packet Format...................................10
5.2 IP Field Descriptions................................10 5.2 IP Field Descriptions................................10
5.3 VRRP Field Descriptions..............................11 5.3 VRRP Field Descriptions..............................11
6. Protocol State Machine....................................14 6. Protocol State Machine....................................14
6.1 Parameters.............................................14 6.1 Parameters.............................................14
6.2 Timers.................................................14 6.2 Timers.................................................14
6.3 State Transition Diagram..............................15 6.3 State Transition Diagram..............................15
6.4 State Descriptions....................................15 6.4 State Descriptions....................................15
7. Sending and Receiving VRRP Packets........................18 7. Sending and Receiving VRRP Packets........................18
7.1 Receiving VRRP Packets................................18 7.1 Receiving VRRP Packets................................18
7.2 Transmitting Packets...................................18 7.2 Transmitting Packets...................................18
7.3 Virtual MAC Address....................................19 7.3 Virtual MAC Address....................................19
8. Host Operation............................................19 8. Operational Issues........................................20
8.1 Host ARP Requests....................................19 8.1 ICMP Redirects.......................................20
9. Operational Issues........................................19 8.2 Host ARP Requests.....................................20
9.1 ICMP Redirects.........................................19 8.3 Proxy ARP.............................................21
9.2 Proxy ARP..............................................19 9. Operation over FDDI and Token Ring........................21
9.3 Network Management.....................................19 10. Security Considerations...................................22
10. Operation over FDDI and Token Ring.......................20 10.1 No Authentication.....................................22
11. Security Considerations...................................21 10.2 Simple Text Password..................................22
11.1 No Authentication.....................................21 10.3 IP Authentication Header..............................22
11.2 Simple Text Password..................................21 11. Acknowledgments...........................................23
11.3 IP Authentication Header..............................21 12. References................................................24
12. References................................................23 13. Authors' Addresses........................................24
13. Authors' Addresses........................................23 14. Changes from Previous Drafts..............................26
14. Acknowledgments...........................................24
15. Changes from Previous Drafts..............................25
1. Introduction 1. Introduction
There are a number of methods that an end-host can use to determine There are a number of methods that an end-host can use to determine
its first hop router towards a particular IP destination. These its first hop router towards a particular IP destination. These
include running (or snooping) a dynamic routing protocol such as include running (or snooping) a dynamic routing protocol such as
Routing Information Protocol [RIP] or OSPF version 2 [OSPF], running Routing Information Protocol [RIP] or OSPF version 2 [OSPF], running
an ICMP router discovery client [DISC] or using a statically an ICMP router discovery client [DISC] or using a statically
configured default route. configured default route.
skipping to change at page 3, line 37 skipping to change at page 3, line 37
operation is likely to persist as dynamic host configuration operation is likely to persist as dynamic host configuration
protocols [DHCP] are deployed, which typically provide configuration protocols [DHCP] are deployed, which typically provide configuration
for an end-host IP address and default gateway. However, this for an end-host IP address and default gateway. However, this
creates a single point of failure. Loss of the default router creates a single point of failure. Loss of the default router
results in a catastrophic event, isolating all end-hosts that are results in a catastrophic event, isolating all end-hosts that are
unable to detect any alternate path that may be available. unable to detect any alternate path that may be available.
The Virtual Router Redundancy Protocol (VRRP) is designed to The Virtual Router Redundancy Protocol (VRRP) is designed to
eliminate the single point of failure inherent in the static default eliminate the single point of failure inherent in the static default
routed environment. VRRP specifies an election protocol that routed environment. VRRP specifies an election protocol that
dynamically assigns responsibility for a virtual IP address to a dynamically allows a set of routers to backup each other. The VRRP
single router among a collection of VRRP routers. The VRRP router router controlling one or more IP addresses is called the Master
controlling the virtual IP address is called the Master router, and router, and forwards packets sent to these IP addresses. The
forwards packets sent to the virtual IP address. The election election process provides dynamic fail-over in the forwarding
process provides dynamic fail-over in the forwarding responsibility responsibility should the Master become unavailable. Any of the IP
should the Master become unavailable. The virtual IP address can addresses on a virtual router can then be used as the default first
then be used as the default first hop router by end-hosts. The hop router by end-hosts. The advantage gained from using the VRRP is
advantage gained from using the VRRP virtual IP address is a higher a higher availability default path without requiring configuration of
availability default path without requiring configuration of dynamic dynamic routing or router discovery protocols on every end-host.
routing or router discovery protocols on every end-host.
VRRP provides a function similar to a Cisco Systems, Inc. proprietary VRRP provides a function similar to a Cisco Systems, Inc. proprietary
protocol named Hot Standby Router Protocol (HSRP) [HSRP]. protocol named Hot Standby Router Protocol (HSRP) [HSRP] and to a
Digital Equipment Corporation, Inc. proprietary protocol named IP
Standby Protocol.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC 2119]. document are to be interpreted as described in [RFC 2119].
1.1 Scope 1.1 Scope
The remainder of this document describes the features, design goals, The remainder of this document describes the features, design goals,
and theory of operation of VRRP. The message formats, protocol and theory of operation of VRRP. The message formats, protocol
processing rules and state machine that guarantee convergence to a processing rules and state machine that guarantee convergence to a
single Master router are presented. Finally, operational issues single Master router are presented. Finally, operational issues
related to MAC address mapping, handling of ARP requests, generation related to MAC address mapping, handling of ARP requests, generation
of ICMP redirect messages, and security issues are addressed. of ICMP redirect messages, and security issues are addressed.
This protocol is intended for use with IPv4 routers only. A separate This protocol is intended for use with IPv4 routers only. A separate
specification will be produced if it is decided that similar specification will be produced if it is decided that similar
functionality is desirable in an IPv6 environment. functionality is desirable in an IPv6 environment.
1.2 Definitions 1.2 Definitions
Cluster The set of routers participating in VRRP to emulate a Virtual Router One of a set of routers running VRRP on a LAN.
virtual router.
Master Router The VRRP router controlling the virtual IP address IP Address Owner The virtual router than has the IP address(es)
and assuming the responsibility of forwarding packets as real interface address(es). This is the
sent to the virtual router. router that, when up, will respond to packets
addressed to one of these IP addresses for ICMP
pings, TCP connections, etc.
Backup Router The set of routers in the quiescent state with regard Primary IP Address An IP address selected from the set of real
to the virtual router operation. This set includes interface addresses. One possible selection
all active VRRP routers within a cluster that are not algorithm is to always select the first address.
the Master router. VRRP advertisements are always sent using the
primary IP address as the source of the IP
packet.
Master Router The virtual router that is assuming the
responsibility of forwarding packets sent to the
IP addresses associated with a virtual router
and answering ARP requests for these IP
addresses. The Master Router may or may not be
the owner. Note that if the IP address owner is
available, then it will always be the master
router.
Backup Router The set of virtual routers available to assume
forwarding responsibility for a virtual router
should the current master router fail.
2.0 Required Features 2.0 Required Features
This section outlines the set of features that were considered This section outlines the set of features that were considered
mandatory and that guided the design of VRRP. mandatory and that guided the design of VRRP.
2.1 Virtual IP Management 2.1 IP Address Backup
Management of the virtual IP address is the primary function of the Backup of IP addresses is the primary function of the Virtual Router
virtual router protocol. While providing election of a Master router Redundancy Protocol. While providing election of a Master router and
and the additional functionality described below, the protocol should the additional functionality described below, the protocol should
strive to: strive to:
- Minimize the duration of black holes. - Minimize the duration of black holes.
- Minimize the steady state bandwidth overhead and processing - Minimize the steady state bandwidth overhead and processing
complexity. complexity.
- Function over a wide variety of multiaccess LAN technologies - Function over a wide variety of multiaccess LAN technologies
capable of supporting IP traffic. capable of supporting IP traffic.
- Provide for election of multiple virtual routers on a network for - Provide for election of multiple virtual routers on a network for
load balancing or in support of multiple logical IP subnets on a load balancing or in support of multiple logical IP subnets on a
single LAN segment. single LAN segment.
skipping to change at page 6, line 7 skipping to change at page 6, line 18
The virtual router functionality is applicable to a wide range of The virtual router functionality is applicable to a wide range of
internetworking environments that may employ different security internetworking environments that may employ different security
policies. The protocol should require minimal configuration and policies. The protocol should require minimal configuration and
overhead in the insecure operation, provide for strong authentication overhead in the insecure operation, provide for strong authentication
when increased security is required, and allow integration of new when increased security is required, and allow integration of new
security mechanisms without breaking backwards compatible operation. security mechanisms without breaking backwards compatible operation.
2.5 Efficient Operation over Extended LANs 2.5 Efficient Operation over Extended LANs
Sending IP packets on a multiaccess LAN requires mapping from the Sending IP packets on a multiaccess LAN requires mapping from an IP
virtual IP address to a MAC address. The use of the virtual router address to a MAC address. The use of the virtual router MAC address
MAC address in an extended LAN employing learning bridges can have a in an extended LAN employing learning bridges can have a significant
significant effect on the bandwidth overhead of packets sent to the effect on the bandwidth overhead of packets sent to the virtual
virtual router. If the virtual router MAC address is never used as router. If the virtual router MAC address is never used as the
the source address in a link level frame then the station location is source address in a link level frame then the station location is
never learned, resulting in flooding of all packets sent to the never learned, resulting in flooding of all packets sent to the
virtual router. To improve the efficiency in this environment the virtual router. To improve the efficiency in this environment the
protocol should: 1) use the virtual router MAC as the source in a protocol should: 1) use the virtual router MAC as the source in a
packet sent by the Master to trigger station learning; 2) trigger a packet sent by the Master to trigger station learning; 2) trigger a
message immediately after transitioning to Master to update the message immediately after transitioning to Master to update the
station learning; and 3) trigger periodic messages from the Master to station learning; and 3) trigger periodic messages from the Master to
maintain the station learning cache. maintain the station learning cache.
3.0 VRRP Overview 3.0 VRRP Overview
VRRP assumes that each router has a consistent set of routes. The
mechanism used to learn or configure this routing state and ensure
its consistency is beyond the scope of this specification.
VRRP specifies an election protocol to provide the virtual router VRRP specifies an election protocol to provide the virtual router
function described earlier. All protocol messaging is performed function described earlier. All protocol messaging is performed
using IP multicast datagrams, thus the protocol can operate over a using IP multicast datagrams, thus the protocol can operate over a
variety of multiaccess LAN technologies supporting IP multicast. variety of multiaccess LAN technologies supporting IP multicast.
Each VRRP virtual router has a single well-known MAC address Each VRRP virtual router has a single well-known MAC address
allocated to it. This document currently only details the mapping to allocated to it. This document currently only details the mapping to
networks using the IEEE 802 48-bit MAC address. The virtual router networks using the IEEE 802 48-bit MAC address. The virtual router
MAC address is used as the source in all periodic messages sent by MAC address is used as the source in all periodic messages sent by
the Master router to enable bridge learning in an extended LAN. the Master router to enable bridge learning in an extended LAN.
A virtual router is identified by its virtual IP address, and A virtual router is identified by its virtual router identifier. A
associated with a VRRP cluster. The virtual IP address must not VRRP router has a set of addresses that it owns and one or more other
match the real IP address of any host or the virtual IP address of virtual routers it is responsible for backing up. On an interface
any other VRRP cluster on the LAN. Each VRRP router assigned to the running VRRP, each VRRP router must be configured with a virtual
cluster must be configured with the same virtual IP address and must router identifier for the addresses it owns, and the other virtual
have a real IP address with a prefix matching the virtual router router identifiers and associated IP addresses that it is responsible
address. In addition, each VRRP router is assigned a priority to for backing up. In addition, each VRRP router is assigned a priority
indicate the preference for Master election. Multiple virtual to indicate it's preference in Master election for each virtual
routers can be elected on a network by associating them with router. Multiple virtual routers can be elected on a network and a
different VRRP clusters, and a single router can participate in single router can backup one or more virtual routers.
multiple VRRP clusters by maintaining independent state machines for
each cluster.
To minimize network traffic, only the Master router sends periodic To minimize network traffic, only the Master router sends periodic
Advertisement messages. A Backup router will not attempt to pre-empt Advertisement messages. A Backup router will not attempt to pre-empt
the Master unless it has higher priority. This eliminates service the Master unless it has higher priority. This eliminates service
disruption unless a more preferred path becomes available; it's also disruption unless a more preferred path becomes available. It's also
possible to administratively prohibit all pre-emption attempts. If possible to administratively prohibit all pre-emption attempts. The
the Master becomes unavailable then the highest priority Backup will only exception to this is that the owner will always become master
transition to Master after a short delay, providing a controlled when it is up. If the Master becomes unavailable then the highest
transition of the virtual router responsibility with minimal service priority Backup will transition to Master after a short delay,
interruption. providing a controlled transition of the virtual router
responsibility with minimal service interruption.
VRRP defines three types of authentication providing simple VRRP defines three types of authentication providing simple
deployment in insecure environments, added protection against deployment in insecure environments, added protection against
misconfiguration, and strong sender authentication in security misconfiguration, and strong sender authentication in security
conscious environments. Analysis of the protection provided and conscious environments. Analysis of the protection provided and
vulnerability of each mechanism is deferred to Section 11.0 Security vulnerability of each mechanism is deferred to Section 10.0 Security
Considerations. In addition new authentication types and data can be Considerations. In addition new authentication types and data can be
defined in the future without affecting the format of the fixed defined in the future without affecting the format of the fixed
portion of the protocol packet, thus preserving backward compatible portion of the protocol packet, thus preserving backward compatible
operation. operation.
The VRRP protocol design provides rapid transition from Backup to The VRRP protocol design provides rapid transition from Backup to
Master to minimize service interruption, and incorporates Master to minimize service interruption, and incorporates
optimizations that reduce protocol complexity while guaranteeing optimizations that reduce protocol complexity while guaranteeing
controlled Master transition for typical operational scenarios. The controlled Master transition for typical operational scenarios. The
optimizations result in an election protocol with minimal runtime optimizations result in an election protocol with minimal runtime
state requirements, minimal active protocol states, and a single state requirements, minimal active protocol states, and a single
message type and sender. The typical operational scenarios are message type and sender. The typical operational scenarios are
defined to be two redundant routers in a VRRP cluster (i.e., a Master defined to be two redundant routers and/or distinct path preferences
and one Backup), and/or distinct path preferences among each router. among each router. A side effect when these assumptions are violated
A side effect when these assumptions are violated (i.e., more than (i.e., more than two redundant paths all with equal preference) is
two redundant paths all with equal preference) is that duplicate that duplicate packets may be forwarded for a brief period during
packets may be forwarded for a brief period during Master election. Master election. However, the typical scenario assumptions are
However, the typical scenario assumptions are likely to cover the likely to cover the vast majority of deployments, loss of the Master
vast majority of deployments, loss of the Master router is router is infrequent, and the expected duration in Master election
infrequent, and the expected duration in Master election convergence convergence is quite small ( << 1 second ). Thus the VRRP
is quite small ( << 1 second ). Thus the VRRP optimizations optimizations represent significant simplifications in the protocol
represent significant simplifications in the protocol design while design while incurring an insignificant probability of brief network
incurring an insignificant probability of brief network degradation. degradation.
4. Sample Configurations 4. Sample Configurations
4.1 Sample Configuration 1 4.1 Sample Configuration 1
The following figure shows a simple VRRP network. The following figure shows a simple network with two virtual routers.
+--------------------------+ VRID=1 VRID=2
| Cluster X | +-----+ +-----+
| MR1 | | MR2 |
| & | | & |
| BR2 | | BR1 |
+-----+ +-----+
IP A ---------->* *<---------- IP B
| | | |
| +-------+ +-------+ |
| | MRX | | BRX | |
| | | | | |
| |(P=200)| |(P=100)| |
| | | | | |
| +-------+ +-------+ |
Real IP 1 ---------->* *<---------- Real IP 2
| | * | |
+-------------^------------+
| | |
-------------------+------|-----+-----+-------------+------
| ^ ^
Virtual IP --(VIPX)-+ (VIPX) (VIPX)
| | | |
+--+--+ +--+--+ | |
| H1 | | H2 | ------------------+------------+-----+--------+--------+--------+--
+-----+ +-----+ ^ ^ ^ ^
| | | |
(IP A) (IP A) (IP A) (IP A)
| | | |
+--+--+ +--+--+ +--+--+ +--+--+
| H1 | | H2 | | H3 | | H4 |
+-----+ +-----+ +--+--+ +--+--+
Legend: Legend:
---+---+---+-- = 802 network, Ethernet or FDDI ---+---+---+-- = 802 network, Ethernet or FDDI
H = Host computer H = Host computer
MR = Master Router (Priority=200) MR = Master Router
BR = Backup Router (Priority=100) BR = Backup Router
* = IP Address * = IP Address
VIP = default router for hosts (Virtual IP) (IP) = default router for hosts
The above configuration shows a typical VRRP scenario. In this The above configuration shows a simple VRRP scenario. In this
configuration, the end-hosts install a default route to the virtual configuration, the end-hosts install a default route to the IP
IP address (VIPX), and the routers run VRRP to elect the Master address of one of the virtual routers (IP A) and the routers run
router. The router on the left (MRX) becomes the Master router VRRP. The router on the left (VRID=1) becomes the Master router for
because it has the highest priority and the router on the right (BRX) the IP addresses it owns (IP A) and the router on the right (VRID=2)
becomes the backup router. becomes the Master router for the IP addresses it owns (IP B). Each
router also backs up the other router. If the router on the left
(VRID=1) should fail, the other router will take over its IP
addresses and provide uninterrupted service for the hosts.
4.2 Sample Configuration 2 4.2 Sample Configuration 2
The following figure shows a configuration with two clusters. The following figure shows a configuration with two virtual routers
with the hosts slitting their traffic between them.
+--------------------------+ VRID=1 VRID=2
| Cluster X and Cluster Y | +-----+ +-----+
| MR1 | | MR2 |
| & | | & |
| BR2 | | BR1 |
+-----+ +-----+
IP A ---------->* *<---------- IP B
| | | |
| +-----+ +-----+ | | |
| | MRX | | BRX | | | |
| | & | | & | | ------------------+------------+-----+--------+--------+--------+--
| | BRY | | MRY | | ^ ^ ^ ^
| +-----+ +-----+ |
Real IP 1 ---------->* *<---------- Real IP 2
| | * * | |
+---------^------^---------+
| | | | | | | |
------------------+--|------|--+-----+--------+--------+--------+-- (IP A) (IP A) (IP B) (IP B)
| | ^ ^ ^ ^ | | | |
Virtual IP --(VIPX)-+ | (VIPX) (VIPX) (VIPY) (VIPY) +--+--+ +--+--+ +--+--+ +--+--+
| | | | |
Virtual IP --(VIPY)--------+ +--+--+ +--+--+ +--+--+ +--+--+
| H1 | | H2 | | H3 | | H4 | | H1 | | H2 | | H3 | | H4 |
+-----+ +-----+ +--+--+ +--+--+ +-----+ +-----+ +--+--+ +--+--+
Legend: Legend:
---+---+---+-- = 802 network, Ethernet or FDDI ---+---+---+-- = 802 network, Ethernet or FDDI
H = Host computer H = Host computer
MR = Master Router MR = Master Router
BR = Backup Router BR = Backup Router
* = IP Address * = IP Address
VIP = default router for hosts (Virtual IP) (IP) = default router for hosts
In the above configuration, half of the hosts install a default route In the above configuration, half of the hosts install a default route
to cluster X's virtual IP address (VIPX), and the other half of the to virtual router 1's IP address (IP A), and the other half of the
hosts install a default route to cluster Y's virtual IP address hosts install a default route to virtual router 2's IP address (IP
(VIPY). This has the effect of load balancing the outgoing traffic, B). This has the effect of load balancing the outgoing traffic,
while also providing full redundancy. while also providing full redundancy.
5.0 Protocol 5.0 Protocol
The purpose of the VRRP packet is to communicate to all VRRP routers The purpose of the VRRP packet is to communicate to all VRRP routers
the priority and the state of the Master router associated with the the priority and the state of the Master router associated with the
Virtual IP address. Virtual Router ID.
VRRP packets are sent encapsulated in IP packets. They are sent to VRRP packets are sent encapsulated in IP packets. They are sent to
an IPv4 multicast address assigned to VRRP. an IPv4 multicast address assigned to VRRP.
5.1 VRRP Packet Format 5.1 VRRP Packet Format
This section defines the format of the VRRP packet and the relevant This section defines the format of the VRRP packet and the relevant
fields in the IP header. fields in the IP header.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 | Version | VRRP Cluster | Priority | Type | |Version| Type | Virtual Rtr ID| Priority | Count IP Addrs|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1 | Auth Type | Adver Int | Checksum | | Auth Type | Adver Int | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2 | Virtual IP address | | IP Address (1) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3 | Authentication Data | | . |
| . |
| . |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 | | | IP Address (n) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authentication Data (1) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authentication Data (2) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
5.2 IP Field Descriptions 5.2 IP Field Descriptions
5.2.1 Source Address 5.2.1 Source Address
The real IP address of the interface the packet is being sent from. The primary IP address of the interface the packet is being sent
from.
5.2.2 Destination Address 5.2.2 Destination Address
The VRRP IP multicast address assigned by the IANA. It is defined to The VRRP IP multicast address assigned by the IANA. It is defined to
be: be:
224.0.0.(TBD IANA assignment) 224.0.0.(TBD IANA assignment)
This is a link local scope multicast address. Routers MUST NOT This is a link local scope multicast address. Routers MUST NOT
forward a datagram with this destination address regardless of its forward a datagram with this destination address regardless of its
TTL. TTL.
5.2.3 TTL 5.2.3 TTL
The TTL MUST be set to 255. A VRRP router receiving a packet with The TTL MUST be set to 255. A VRRP router receiving a packet with
the TTL not equal to 255 MUST discard the packet. the TTL not equal to 255 MUST discard the packet.
5.2.4 Protocol 5.2.4 Protocol
skipping to change at page 11, line 20 skipping to change at page 11, line 23
5.2.4 Protocol 5.2.4 Protocol
The VRRP IP protocol number assigned by the IANA. It is defined to The VRRP IP protocol number assigned by the IANA. It is defined to
be (TBD). be (TBD).
5.3 VRRP Field Descriptions 5.3 VRRP Field Descriptions
5.3.1 Version 5.3.1 Version
The version field specifies the VRRP protocol version of this packet. The version field specifies the VRRP protocol version of this packet.
This document defines version 1. This document defines version 2.
5.3.2 VRRP Cluster 5.3.2 Type
The VRRP Cluster field specifies the cluster this packet applies to. The type field specifies the type of this VRRP packet. The only
Note: The interface may participate in more than one VRRP cluster packet type defined in this version of the protocol is:
simultaneously, perhaps serving as Master in one cluster, while
simultaneously serving as backup in other clusters.
5.3.3 Priority 1 ADVERTISEMENT
The priority field specifies the router's priority for the Virtual IP A packet with unknown type MUST be discarded.
address and cluster. Higher values equal higher priority. This
field is an 8 bit unsigned field, giving 1 as the minimum priority,
and 255 as the maximum priority. The default priority is 100
(decimal).
The priority value zero (0) has special meaning indicating that the 5.3.3 Virtual Rtr ID (VRID)
current Master has stopped running VRRP. This is used to trigger
Backup routers to quickly transition to Master without having to wait
for the current Master to timeout.
In the event that two or more routers within a cluster have equal The Virtual Router Identifier (VRID) field identifies the virtual
priority, and that priority is the highest priority for the cluster, router this packet is reporting status for.
initially the router with the higher real interface IP address
(interpreted as a 32 bit unsigned integer) will become Master. Any
router joining the cluster with the same priority will not become
Master even if it has a higher IP address unless the current Master
goes down.
5.3.4 Type 5.3.4 Priority
The type field specifies the type of this VRRP packet. The only The priority field specifies the router's priority for the virtual
packet type defined in this version of the protocol is: router. Higher values equal higher priority. This field is an 8 bit
unsigned field.
1 ADVERTISEMENT The priority value for the router that owns the IP address(es)
associated with the virtual router MUST be 255 (decimal).
A packet with unknown type MUST be discarded. VRRP routers backing up another virtual router MAY use priority
values between 1-254 (decimal). The default priority value for
routers backing up another virtual router is 100 (decimal).
5.3.5 Authentication Type The priority value zero (0) has special meaning indicating that the
current Master has stopped participating in VRRP. This is used to
trigger Backup routers to quickly transition to Master without having
to wait for the current Master to timeout.
5.3.5 Count IP Addrs
The number of IP addresses contained in this VRRP advertisement.
5.3.6 Authentication Type
The authentication type field identifies the authentication method The authentication type field identifies the authentication method
being utilized. The authentication type field is an 8 bit number. A being utilized. Authentication type is unique on a per interface
packet with unknown authentication type or that does not match the basis. The authentication type field is an 8 bit number. A packet
locally configured authentication method MUST be discarded. with unknown authentication type or that does not match the locally
configured authentication method MUST be discarded.
The authentication methods currently defined are: The authentication methods currently defined are:
0 - No Authentication 0 - No Authentication
1 - Simple Text Password 1 - Simple Text Password
2 - IP Authentication Header 2 - IP Authentication Header
5.3.5.1 No Authentication 5.3.6.1 No Authentication
The use of this authentication type means that VRRP protocol The use of this authentication type means that VRRP protocol
exchanges are not authenticated. The contents of the Authentication exchanges are not authenticated. The contents of the Authentication
Data field should be set to zero on transmission and ignored on Data field should be set to zero on transmission and ignored on
reception. reception.
5.3.5.2 Simple Text Password 5.3.6.2 Simple Text Password
The use of this authentication type means that VRRP protocol The use of this authentication type means that VRRP protocol
exchanges are authenticated by a clear text password. The contents exchanges are authenticated by a clear text password. The contents
of the Authentication Data field should be set to the locally of the Authentication Data field should be set to the locally
configured password on transmission. There is no default password. configured password on transmission. There is no default password.
The receiver MUST check that the Authentication Data in the packet The receiver MUST check that the Authentication Data in the packet
matches its configured authentication string. Packets that do not matches its configured authentication string. Packets that do not
match MUST be discarded. match MUST be discarded.
5.3.5.3 IP Authentication Header 5.3.6.3 IP Authentication Header
The use of this authentication type means the VRRP protocol exchanges The use of this authentication type means the VRRP protocol exchanges
are authenticated using the mechanisms defined by the IP are authenticated using the mechanisms defined by the IP
Authentication Header [AUTH] using HMAC: Keyed-Hashing for Message Authentication Header [AUTH] using HMAC: Keyed-Hashing for Message
Authentication [HMAC]. Keys may be either configured manually or via Authentication [HMAC]. Keys may be either configured manually or via
a key distribution protocol. a key distribution protocol.
If a packet is received that does not pass the authentication check If a packet is received that does not pass the authentication check
due to a missing authentication header or incorrect message digest, due to a missing authentication header or incorrect message digest,
then the packet MUST be discarded. The contents of the then the packet MUST be discarded. The contents of the
Authentication Data field should be set to zero on transmission and Authentication Data field should be set to zero on transmission and
ignored on reception. ignored on reception.
5.3.6 Advertisement Interval (Adver Int) 5.3.7 Advertisement Interval (Adver Int)
The Advertisement interval indicates the time interval (in seconds) The Advertisement interval indicates the time interval (in seconds)
between ADVERTISEMENTS. The default is 1 second. This field is used between ADVERTISEMENTS. The default is 1 second. This field is used
for troubleshooting misconfigured routers. for troubleshooting misconfigured routers.
5.3.7 Checksum 5.3.8 Checksum
The checksum field is used to detect data corruption in the VRRP The checksum field is used to detect data corruption in the VRRP
message. message.
The checksum is the 16-bit one's complement of the one's complement The checksum is the 16-bit one's complement of the one's complement
sum of the entire VRRP message starting with the version field. For sum of the entire VRRP message starting with the version field. For
computing the checksum, the checksum field is set to zero. computing the checksum, the checksum field is set to zero.
5.3.8 Virtual IP address 5.3.9 IP Address(es)
The virtual IP address field specifies the Virtual IP (VIP) address
associated with the particular cluster. This field is used for
troubleshooting misconfigured routers.
The VIP MUST be an IP address assigned from the subnet that the One or more IP addresses that are associated with the virtual router.
interface is attached and does not match any hosts real IP or cluster The number of addresses included is specified in the "Count IP Addrs"
VIP address. field. These fields are used for troubleshooting misconfigured
routers.
5.3.9 Authentication Data 5.3.10 Authentication Data
The authentication string is currently only utilized for simple text The authentication string is currently only utilized for simple text
authentication, similar to the simple text authentication found in authentication, similar to the simple text authentication found in
the Open Shortest Path First routing protocol [OSPF]. It is up to 8 the Open Shortest Path First routing protocol [OSPF]. It is up to 8
characters of plain text. If the configured authentication string is characters of plain text. If the configured authentication string is
shorter than 8 bytes, the remaining space MUST be zero-filled. Any shorter than 8 bytes, the remaining space MUST be zero-filled. Any
VRRP packet with an authentication string that does not match its VRRP packet with an authentication string that does not match its
configured authentication string SHOULD be discarded. The configured authentication string SHOULD be discarded. The
authentication string is unique on a per interface basis. authentication string is unique on a per interface basis.
There is no default value for this field. There is no default value for this field.
6. Protocol State Machine 6. Protocol State Machine
6.1 Parameters 6.1 Parameters
Cluster_ID Cluster identifier. Configured item. There 6.1.1 Parameters per Interface
is no default.
Priority Priority value for this cluster. Configured Authentication_Type Type of authentication being used. Values
item. Range is between 1-255. Default is are defined in section 5.3.6.
100 (decimal).
Virtual_IP Virtual IP Address for this cluster. Authentication_Data Authentication data specific to the
Configured item. Authentication_Type being used.
Advertisement_Interval Time interval between ADVERTISEMENTS in 6.1.2 Parameters per Virtual Router
seconds. Default is 1 second.
Skew_Time Calculated time to skew Master_Down_Interval Virtual Router Identifier. Configured item in the range 1-255
in seconds. Defined to be: (decimal). There is no default.
( (256 - Priority) / 256 ) Priority Priority value to be used in Master election
for this virtual router. The value of 255
(decimal) is reserved for the router that
owns the IP addresses associated with the
virtual router. The value of 0 (zero) is
reserved for Master router to indicate it
has stopped running VRRP. The range 1-254
(decimal) is available for VRRP routers
backing up the virtual router. The default
value is 100 (decimal).
IP_Addresses One or more IP addresses associated with
this virtual router. Configured item. No
default.
Advertisement_Interval Time interval between ADVERTISEMENTS
(seconds). Default is 1 second.
Skew_Time Time to skew Master_Down_Interval in
seconds. Calculated as:
( (256 - Priority) / 256 )
Master_Down_Interval Time interval for Backup to declare Master Master_Down_Interval Time interval for Backup to declare Master
down in seconds. Defined to be: down (seconds). Calculated as:
(3 * Advertisement_Interval) + Skew_time (3 * Advertisement_Interval) + Skew_time
Preempt_Mode Configuration switch controlling whether a Preempt_Mode Controls whether a higher priority Backup
higher priority VRRP router preempts a lower router preempts a lower priority Master.
priority VRRP Master. Values are True to Values are True to preempt and False to not
preempt and False to not preempt. Default preempt. Default is True.
is True.
Note: Exception is that the router that owns
the IP address(es) associated with the
virtual router always pre-empts independent
of the setting of this flag.
6.2 Timers 6.2 Timers
Master_Down_Timer Timer that fires when ADVERTISEMENT has not Master_Down_Timer Timer that fires when ADVERTISEMENT has not
been heard for Master_Down_Interval. been heard for Master_Down_Interval.
Adver_Timer Timer that fires to trigger sending of Adver_Timer Timer that fires to trigger sending of
ADVERTISEMENT based on ADVERTISEMENT based on
Advertisement_Interval. Advertisement_Interval.
6.3 State Transition Diagram 6.3 State Transition Diagram
+---------------+ +---------------+
| |<-------------+ +--------->| |<-------------+
+--------->| Initialize | | | | Initialize | |
| | |----------+ | | +------| |----------+ |
| +---------------+ | | | | +---------------+ | |
| | | | | | |
| V | | V V |
+---------------+ +---------------+ +---------------+ +---------------+
| |---------------------->| | | |---------------------->| |
| Master | | Backup | | Master | | Backup |
| |<----------------------| | | |<----------------------| |
+---------------+ +---------------+ +---------------+ +---------------+
6.4 State Descriptions 6.4 State Descriptions
In the state descriptions below, the state names are identified by In the state descriptions below, the state names are identified by
{state-name}, and the packets are identified by all upper case {state-name}, and the packets are identified by all upper case
characters. characters.
6.4.1 Initialize 6.4.1 Initialize
{Initialize} is the state a virtual router takes when VRRP is {Initialize} is the state a virtual router takes when it is inactive
inactive. The purpose of this state is to wait for a Startup event. with respect to the virtual router. The purpose of this state is to
If a Startup event is received, then: wait for a Startup event. If a Startup event is received, then:
- Set the Master_Down_Timer to Master_Down_Interval - If the Priority = 255 (i.e., the router owns the IP address(es)
associated with the virtual router)
- Transition to the {Backup} state o Send an ADVERTISEMENT
o Send a gratuitous ARP request containing the virtual router MAC
address for each IP address associated with the virtual router.
o Set the Adver_Timer to Advertisement_Interval
o Transition to the {Master} state
else
o Set the Master_Down_Timer to Master_Down_Interval
o Transition to the {Backup} state
endif
6.4.2 Backup 6.4.2 Backup
The purpose of the {Backup} state is to monitor the availability and The purpose of the {Backup} state is to monitor the availability and
state of the Master Router. state of the Master Router.
While in this state, an virtual router MUST do the following: While in this state, an virtual router MUST do the following:
- MUST NOT respond to ARP requests for the virtual router IP address - MUST NOT respond to ARP requests for the IP address(s) associated
with this VRID.
- MUST discard packets with a destination link layer MAC address - MUST discard packets with a destination link layer MAC address
equal to the virtual router MAC address equal to the virtual router MAC address for this VRID.
- MUST NOT accept packets addressed to the IP address(es) associated
with this VRID.
- MUST not accept packets addressed to the Virtual IP address
- If a Shutdown event is received, then: - If a Shutdown event is received, then:
o Cancel the Master_Down_Timer o Cancel the Master_Down_Timer
o Transition to the {Initialize} state o Transition to the {Initialize} state
endif endif
- If the Master_Down_Timer fires, then: - If the Master_Down_Timer fires, then:
o Send an ADVERTISEMENT o Send an ADVERTISEMENT
o Send a gratuitous ARP request containing their virtual router
MAC address for each IP address associated with the virtual
router
o Set the Adver_Timer to Advertisement_Interval o Set the Adver_Timer to Advertisement_Interval
o Transition to the {Master} state o Transition to the {Master} state
endif endif
- If an ADVERTISEMENT is received, then: - If an ADVERTISEMENT is received, then:
If the Priority in the ADVERTISEMENT is Zero, then: If the Priority in the ADVERTISEMENT is Zero, then:
o Set the Master_Down_Timer to Skew_Time o Set the Master_Down_Timer to Skew_Time
skipping to change at page 16, line 43 skipping to change at page 17, line 39
else: else:
o Discard the ADVERTISEMENT o Discard the ADVERTISEMENT
endif endif
endif endif
endif endif
6.4.3 Master 6.4.3 Master
While in the {Master} state the router functions as the physical While in the {Master} state the router functions as the forwarding
router for the Virtual IP address. router for the IP address(es) associated with the virtual router.
While in this state, a virtual router MUST do the following: While in this state, a virtual router MUST do the following:
- MUST respond to ARP requests for the VIP address with the virtual - MUST respond to ARP requests for the IP address(es) associated
router MAC address with the VRID with the virtual router MAC address.
- Must accept and forward packets with a destination link layer MAC
address equal to the virtual router MAC address
- Must accept packets addressed to the VIP address - MUST forward packets with a destination link layer MAC address
equal to the virtual router MAC address.
- MUST NOT accept packets addressed to the IP address(es) associated
for the virtual router if it is not the IP address owner.
- MUST accept packets addressed to the IP address(es) if it is the
IP address owner.
- If a Shutdown event is received, then: - If a Shutdown event is received, then:
o Cancel the Adver_Timer o Cancel the Adver_Timer
o Send an ADVERTISEMENT with Priority = 0 o Send an ADVERTISEMENT with Priority = 0
o Transition to the {Initialize} state o Transition to the {Initialize} state
endif endif
- If the Adver_Timer fires, then: - If the Adver_Timer fires, then:
skipping to change at page 17, line 37 skipping to change at page 18, line 37
o Send an ADVERTISEMENT o Send an ADVERTISEMENT
o Reset the Adver_Timer to Advertisement_Interval o Reset the Adver_Timer to Advertisement_Interval
else: else:
If the Priority in the ADVERTISEMENT is greater than the If the Priority in the ADVERTISEMENT is greater than the
local Priority, local Priority,
or or
If the Priority in the ADVERTISEMENT is equal to the local If the Priority in the ADVERTISEMENT is equal to the local
Priority and the IP Address of the sender is greater than Priority and the primary IP Address of the sender is greater
the local IP Address, then: than the local primary IP Address, then:
o Cancel Adver_Timer o Cancel Adver_Timer
o Set Master_Down_Timer to Master_Down_Interval o Set Master_Down_Timer to Master_Down_Interval
o Transition to the {Backup} state o Transition to the {Backup} state
else: else:
o Discard ADVERTISEMENT o Discard ADVERTISEMENT
endif endif
endif endif
endif endif
7. Sending and Receiving VRRP Packets 7. Sending and Receiving VRRP Packets
7.1 Receiving VRRP Packets 7.1 Receiving VRRP Packets
The following actions MUST be performed when a VRRP packet is Performed the following functions when a VRRP packet is received:
received:
- Verify that the IP TTL is 255. - MUST verify that the IP TTL is 255.
- Verify that the received packet length is greater than or equal - MUST verify that the received packet length is greater than or
to the VRRP header length equal to the VRRP header
- Verify the VRRP checksum - MUST verify the VRRP checksum
- Verify the VRRP version - MUST verify the VRRP version
- Perform authentication specified by Auth Type - MUST perform authentication specified by Auth Type
If any one of the above checks fails, the receiver MUST discard the If any one of the above checks fails, the receiver MUST discard the
packet, SHOULD log the event and MAY indicate via network management packet, SHOULD log the event and MAY indicate via network management
that an error occurred. that an error occurred.
- Verify that the Cluster identifier and the VIP are valid on the - MUST verify that the VRID is valid on the receiving interface
receiving interface
- Verify that the VIP in packet is same as the configured VIP for
this cluster
If any one of the above checks fails, the receiver MUST discard the If the above checks fails, the receiver MUST discard the packet.
packet.
- Verify that the Adver Interval in the packet is the same as the - MAY verify that the IP address(es) associated with the VRID are
locally configured for this virtual router valid
If the above check fails, the receiver SHOULD log the event and MAY
indicate via network management that an error occurred. If the
Priority does not equal 255 (decimal), the receiver MUST drop the
packet. If the Priority equals 255 (decimal) continue processing.
- MUST verify that the Adver Interval in the packet is the same as
the locally configured for this virtual router
If the above check fails, the receiver MUST discard the packet, If the above check fails, the receiver MUST discard the packet,
SHOULD log the event and MAY indicate via network management that an SHOULD log the event and MAY indicate via network management that an
error occurred. error occurred.
7.2 Transmitting Packets 7.2 Transmitting Packets
The following operations MUST be performed prior to transmitting a The following operations MUST be performed prior to transmitting a
VRRP packet. VRRP packet.
- Fill in the VRRP packet fields with the appropriate virtual - Fill in the VRRP packet fields with the appropriate virtual
router configuration state router configuration state
- Compute the VRRP checksum - Compute the VRRP checksum
- Set the source MAC address to Virtual Router MAC Address - Set the source MAC address to Virtual Router MAC Address
- Set the source IP address to interface primary IP address
- Send the VRRP packet to the VRRP IP multicast group - Send the VRRP packet to the VRRP IP multicast group
Note: VRRP packets are transmitted with the virtual router MAC
Note: VRRP packets are transmitted with the virtual MAC address as address as the source MAC address to ensure that learning bridges
the source MAC address to ensure that learning bridges correctly correctly determine the LAN segment the virtual router is attached
determine the LAN segment the virtual router is attached to. to.
7.3 Virtual Router MAC Address 7.3 Virtual Router MAC Address
The virtual router MAC address associated with a virtual router is an The virtual router MAC address associated with a virtual router is an
IEEE 802 MAC Address in the following format: IEEE 802 MAC Address in the following format:
00-00-5E-XX-XX-{cluster id} (in hex in internet standard bit-order) 00-00-5E-XX-XX-{VRID} (in hex in internet standard bit-order)
The first three octets are derived from the IANA's OUI. The next two The first three octets are derived from the IANA's OUI. The next two
octets (to be assigned by the IANA) indicate the address block octets (to be assigned by the IANA) indicate the address block
assigned to the VRRP protocol. {cluster id} is the VRRP cluster assigned to the VRRP protocol. {VRID} is the VRRP Router Identifier.
identifier. This mapping provides for up to 255 VRRP clusters on a This mapping provides for up to 255 VRRP routers on a network.
network.
8. Host Operation 8. Operational Issues
8.1 Host ARP Requests 8.1 ICMP Redirects
When a host sends an ARP request for the virtual IP address, the ICMP Redirects may be used normally when VRRP is running between a
Master router MUST respond to the ARP request with the virtual MAC group of routers. This allows VRRP to be used in environments where
address for the virtual router. This allows the client to always use the topology is not symmetric.
the same MAC address regardless of the current Master router. The
request MUST be handled as a standard ARP reply.
9. Operational Issues When acting as a Master for a VRID it is not the owner, the virtual
router MUST send ICMP Redirects using the IP address associated with
the VRID as the source of the ICMP Redirect. This entails looking at
the destination MAC address in the packet that is being redirected
and selecting the appropriate IP address.
9.1 ICMP Redirects It may be useful to disable Redirects for specific cases where is
VRRP is being used to load share traffic between a number of routers
in a symmetric topology.
VRRP operation relies on hosts only using the Virtual IP address. It 8.2 Host ARP Requests
is important that client hosts do not learn the real IP address of
any VRRP router on the LAN segment. Consequently VRRP routers MUST
NOT send ICMP Redirects on any interface they are running VRRP on.
9.2 Proxy ARP When a host sends an ARP request for one of the virtual routers IP
addresses, the Master router MUST respond to the ARP request with the
virtual MAC address for the virtual router. The virtual router MUST
NOT respond with it's physical MAC address. This allows the client
to always use the same MAC address regardless of the current Master
router. The request MUST be handled as a standard ARP reply.
When a virtual router restarts or boots, it SHOULD not send any ARP
messages with it's physical MAC addresses for the IP addresses it
owns. They should only send ARP messages that include Virtual MAC
addresses. This may entail:
- When configuring their interfaces, virtual routers should send a
gratuitous ARP request containing their virtual MAC address for
each IP address they own on that interface.
- At system boot, when initializing any of its IP addresses for
which VRRP is configured, delay gratuitous ARP requests and ARP
responses for that interface until both the IP address and the
virtual MAC address are configured.
8.3 Proxy ARP
If Proxy ARP is to be used on a router running VRRP, then the VRRP If Proxy ARP is to be used on a router running VRRP, then the VRRP
router must advertise the Virtual Router MAC address in the Proxy ARP router must advertise the Virtual Router MAC address in the Proxy ARP
message. Doing otherwise could cause hosts to learn the real IP message. Doing otherwise could cause hosts to learn the real MAC
address of the VRRP routers. address of the VRRP routers.
9.3 Network Management 9. Operation over FDDI and Token Ring
It is important that network management tools (e.g., SNMP, Telnet,
etc.) always use the real IP addresses of a VRRP router. This
ensures that network management is aware of the status of the real
routers (e.g., to detect that a router has failed so that it can be
repaired).
10. Operation over FDDI and Token Ring
10.1 Operation over FDDI 9.1 Operation over FDDI
FDDI interfaces strip from the FDDI ring frames that have a source FDDI interfaces strip from the FDDI ring frames that have a source
MAC address matching the device's hardware address. Under some MAC address matching the device's hardware address. Under some
conditions, such as router isolations, ring failures, protocol conditions, such as router isolations, ring failures, protocol
transitions, etc., VRRP may cause there to be more than one Master transitions, etc., VRRP may cause there to be more than one Master
router. If a Master router installs the virtual router MAC address router. If a Master router installs the virtual router MAC address
as the hardware address on a FDDI device, then other Masters' as the hardware address on a FDDI device, then other Masters'
ADVERTISEMENTS will be stripped off the ring during the Master ADVERTISEMENTS will be stripped off the ring during the Master
convergence, and convergence will fail. convergence, and convergence will fail.
To avoid this an implementations SHOULD configure the virtual router To avoid this an implementation SHOULD configure the virtual router
MAC address by adding a unicast MAC filter in the FDDI device, rather MAC address by adding a unicast MAC filter in the FDDI device, rather
than changing its hardware MAC address. This will prevent a Master than changing its hardware MAC address. This will prevent a Master
router from stripping any ADVERTISEMENTS it did not originate. router from stripping any ADVERTISEMENTS it did not originate.
10.2 Operation over Token Ring 9.2 Operation over Token Ring
Token Ring has several characteristics which make running VRRP Token Ring has several characteristics which make running VRRP
problematic. This includes: problematic. This includes:
- No general multicast mechanism. Required use of "functional - No general multicast mechanism. Required use of "functional
addresses" as a substitute, which may collide with other usage of addresses" as a substitute, which may collide with other usage of
the same "functional addresses". the same "functional addresses".
- Token Ring interfaces may have a limited ability to receive on - Token Ring interfaces may have a limited ability to receive on
multiple MAC addresses. multiple MAC addresses.
- In order to switch to a new master located on a different physical - In order to switch to a new master located on a different physical
ring from the previous master when using source route bridges, a ring from the previous master when using source route bridges, a
mechanism is required to update cached source route information. mechanism is required to update cached source route information.
Due the these issues and the limited knowledge about the detailed Due the these issues and the limited knowledge about the detailed
operation of Token Ring by the authors, this version of VRRP does not operation of Token Ring by the authors, this version of VRRP does not
work over Token Ring networks. This may be remedied in new version work over Token Ring networks. This may be remedied in new version
of this document, or in a separate document. of this document, or in a separate document.
11. Security Considerations 10. Security Considerations
VRRP is designed for a range of internetworking environments that may VRRP is designed for a range of internetworking environments that may
employ different security policies. The protocol includes several employ different security policies. The protocol includes several
authentication methods ranging from no authentication, simple clear authentication methods ranging from no authentication, simple clear
text passwords, and strong authentication using IP Authentication text passwords, and strong authentication using IP Authentication
with HMAC. The details on each approach including possible attacks with HMAC. The details on each approach including possible attacks
and recommended environments follows. and recommended environments follows.
Independent of any authentication type VRRP includes a mechanism Independent of any authentication type VRRP includes a mechanism
(setting TTL=255, checking on receipt) that protects against VRRP (setting TTL=255, checking on receipt) that protects against VRRP
packets being injected from another remote network. This limits most packets being injected from another remote network. This limits most
vulnerabilities to local attacks. vulnerabilities to local attacks.
11.1 No Authentication 10.1 No Authentication
The use of this authentication type means that VRRP protocol The use of this authentication type means that VRRP protocol
exchanges are not authenticated. This type of authentication SHOULD exchanges are not authenticated. This type of authentication SHOULD
only be used in environments were there is minimal security risk and only be used in environments were there is minimal security risk and
little chance for configuration errors (e.g., two VRRP routers in a little chance for configuration errors (e.g., two VRRP routers on a
single cluster on a link). link).
11.2 Simple Text Password 10.2 Simple Text Password
The use of this authentication type means that VRRP protocol The use of this authentication type means that VRRP protocol
exchanges are authenticated by a simple clear text password. exchanges are authenticated by a simple clear text password.
This type of authentication is useful to protect against accidental This type of authentication is useful to protect against accidental
misconfiguration of routers on a link. It protects against routers misconfiguration of routers on a link. It protects against routers
inadvertently becoming a member of a VRRP cluster. A new router must inadvertently backing up another router. A new router must first be
first be configured with the correct password before it can become a configured with the correct password before it can run VRRP with
member of the VRRP cluster. This type of authentication does not another router. This type of authentication does not protect against
protect against hostile attacks where the password can be learned by hostile attacks where the password can be learned by a node snooping
a node snooping VRRP packets on the link. The Simple Text VRRP packets on the link. The Simple Text Authentication combined
Authentication combined with the TTL check makes it difficult for a with the TTL check makes it difficult for a VRRP packet to be sent
VRRP packet to be sent from another link to disrupt VRRP operation. from another link to disrupt VRRP operation.
This type of authentication is RECOMMENDED when there is minimal risk This type of authentication is RECOMMENDED when there is minimal risk
of nodes on the link actively disrupting VRRP operation. of nodes on the link actively disrupting VRRP operation.
11.3 IP Authentication Header 10.3 IP Authentication Header
The use of this authentication type means the VRRP protocol exchanges The use of this authentication type means the VRRP protocol exchanges
are authenticated using the mechanisms defined by the IP are authenticated using the mechanisms defined by the IP
Authentication Header [AUTH] using HMAC: Keyed-Hashing for Message Authentication Header [AUTH] using HMAC: Keyed-Hashing for Message
Authentication [HMAC]. This provides strong protection against Authentication [HMAC]. This provides strong protection against
configuration errors, replay attacks, and packet configuration errors, replay attacks, and packet
corruption/modification. corruption/modification.
This type of authentication is RECOMMENDED when there is limited This type of authentication is RECOMMENDED when there is limited
control over the administration of nodes on the link. While this control over the administration of nodes on the link. While this
type of authentication does protect the operation of VRRP, there are type of authentication does protect the operation of VRRP, there are
other types of attacks that may be employed on shared media links other types of attacks that may be employed on shared media links
(e.g., generation of bogus ARP replies) which are independent from (e.g., generation of bogus ARP replies) which are independent from
VRRP and are not protected. VRRP and are not protected.
11. Acknowledgments
The authors would like to thank Glen Zorn, and Michael Lane, Clark
Bremer, Hal Peterson, Tony Li, Barbara Denny, Joel Halpern, Steve
Bellovin, and Acee Lindem for their comments and suggestions.
12. References 12. References
[AUTH] Atkinson, R., "IP Authentication Header", RFC-1826, August [AUTH] Atkinson, R., "IP Authentication Header", RFC-1826, August
1995. 1995.
[DISC] Deering, S., "ICMP Router Discovery Messages", RFC-1256, [DISC] Deering, S., "ICMP Router Discovery Messages", RFC-1256,
September 1991. September 1991.
[DHCP] Droms, R., "Dynamic Host Configuration Protocol", RFC-1541, [DHCP] Droms, R., "Dynamic Host Configuration Protocol", RFC-1541,
October 1993. October 1993.
skipping to change at page 24, line 22 skipping to change at page 25, line 22
232 Java Drive 232 Java Drive
Sunnyvale, CA 94089 Sunnyvale, CA 94089
USA USA
Danny Mitzel Phone: +1 408 990-2037 Danny Mitzel Phone: +1 408 990-2037
Ipsilon Networks, Inc. EMail: mitzel@ipsilon.com Ipsilon Networks, Inc. EMail: mitzel@ipsilon.com
232 Java Drive 232 Java Drive
Sunnyvale, CA 94089 Sunnyvale, CA 94089
USA USA
14. Acknowledgments Peter Hunt Phone: +1 408 990-2093
Ipsilon Networks, Inc. EMail: hunt@ipsilon.com
232 Java Drive
Sunnyvale, CA 94089
USA
The authors would like to thank Glen Zorn, and Michael Lane, Clark P. Higginson Phone: +44 118 920 6293
Bremer, Hal Peterson, Peter Hunt, Tony Li, Barbara Denny, and Steve REO2-F/E9 EMail: higginson@mail.dec.com
Bellovin for their comments and suggestions. Digital Equipment Corp.
Digital Park
Imperial Way
Reading
Berkshire
RG2 0TE
UK
15. Changes from Previous Drafts M. Shand Phone: +44 118 920 4424
REO2-F/D9 EMail: shand@mail.dec.com
Digital Equipment Corp.
Digital Park
Imperial Way
Reading
Berkshire
RG2 0TE
UK
14. Changes from Previous Drafts
Changes from <draft-ietf-vrrp-spec-01.txt>
Major change to use real IP addresses instead of virtual IP
addresses. Changes include:
- Updated version number to 2.
- Modified packet header
- New terminology (removed cluster, virtual IP address, etc., added
VRID, associated IP address(es), etc.).
- Special case of priority = 255 for router owning VRID and
associated IP address(es).
- Reworked examples.
- Rewrote introductory and overview sections.
- Added rules for redirects and ARP.
- Added sending gratuitous ARP request when transitioning to Master.
Changes from <draft-ietf-vrrp-spec-00.txt> Changes from <draft-ietf-vrrp-spec-00.txt>
- Added Preempt_Mode to allow user control over preemption - Added Preempt_Mode to allow user control over preemption
independent of configured priorities. independent of configured priorities.
- Rewrote authentication section and expanded security - Rewrote authentication section and expanded security
considerations. considerations.
- Expanded State Description section and removed State Table which - Expanded State Description section and removed State Table which
become redundant and impossible to edit. become redundant and impossible to edit.
- Changed authentication to be on a per interface basis (not per - Changed authentication to be on a per interface basis (not per
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/