OpenBSD 5.3, CARP and IPv6

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD 5.3, CARP and IPv6

Andy Lemin
Hi everyone,

I'm hoping someone can help me as I'm not having much luck with adding
IPv6 to the mix of our already working IPv4 setup.

What should /etc/hostname.carpX look like for an IPv6 setup? Is this
correct;?

inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3
advskew 0
inet6 2a00:7e0:0:a::1 64

Or should I have a separate carpX interface for the IPv6?

When I do a tcpdump on the master I see;
Aug 29 14:36:56.416723 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
Aug 29 14:36:56.416736 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
advbase=3 advskew=0 demote=33
Aug 29 14:36:56.420823 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
fe80::1 > ff02::1: icmp6: neighbor adv: tgt is fe80::200:5eff:fe00:101
Aug 29 14:36:56.420835 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
fe80::1 > ff02::1: icmp6: neighbor adv: tgt is 2a00:77e0:0:a::1
Aug 29 14:36:57.638468 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
Aug 29 14:36:57.641021 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
advbase=3 advskew=100 demote=0
Aug 29 14:37:01.049324 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
Aug 29 14:37:01.049685 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
advbase=3 advskew=100 demote=0
Aug 29 14:37:04.458514 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
Aug 29 14:37:04.462013 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
advbase=3 advskew=100 demote=0
Aug 29 14:37:06.648983 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
Aug 29 14:37:06.648996 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
advbase=3 advskew=0 demote=33

I can see that the IPv6 CARP messages are using the link local address
and not the global IPv6 addresses I have configured? Why?? :(
This makes it really hard to write PF files as I would have to write
filter rules considering the each physical hosts MAC addresses :(

I'm also seeing errors stating that the inet6 carp address I have
configured is a duplicate address! Although this could be due to the
fact the firewalls are flapping between backup and master and there are
going to be multi master periods.

net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=3
net.inet6.ip6.forwarding=1
net.inet6.ip6.redirect=0
net.inet6.ip6.accept_rtadv=0

I am also starting to read "Firewalling IPv6 with OpenBSD's pf (packet
filter)".

Thanks for your time, Andy.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Andy Lemin
PS; I don't have MLD capable switches in all locations if that is a
factor here regarding CARP messages being via IPv6 Multicast.



On Thu 29 Aug 2013 15:57:29 BST, Andy wrote:

> Hi everyone,
>
> I'm hoping someone can help me as I'm not having much luck with adding
> IPv6 to the mix of our already working IPv4 setup.
>
> What should /etc/hostname.carpX look like for an IPv6 setup? Is this
> correct;?
>
> inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3
> advskew 0
> inet6 2a00:7e0:0:a::1 64
>
> Or should I have a separate carpX interface for the IPv6?
>
> When I do a tcpdump on the master I see;
> Aug 29 14:36:56.416723 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
> Aug 29 14:36:56.416736 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
> advbase=3 advskew=0 demote=33
> Aug 29 14:36:56.420823 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
> fe80::1 > ff02::1: icmp6: neighbor adv: tgt is fe80::200:5eff:fe00:101
> Aug 29 14:36:56.420835 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
> fe80::1 > ff02::1: icmp6: neighbor adv: tgt is 2a00:77e0:0:a::1
> Aug 29 14:36:57.638468 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
> Aug 29 14:36:57.641021 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
> advbase=3 advskew=100 demote=0
> Aug 29 14:37:01.049324 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
> Aug 29 14:37:01.049685 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
> advbase=3 advskew=100 demote=0
> Aug 29 14:37:04.458514 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
> Aug 29 14:37:04.462013 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
> advbase=3 advskew=100 demote=0
> Aug 29 14:37:06.648983 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
> Aug 29 14:37:06.648996 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
> advbase=3 advskew=0 demote=33
>
> I can see that the IPv6 CARP messages are using the link local address
> and not the global IPv6 addresses I have configured? Why?? :(
> This makes it really hard to write PF files as I would have to write
> filter rules considering the each physical hosts MAC addresses :(
>
> I'm also seeing errors stating that the inet6 carp address I have
> configured is a duplicate address! Although this could be due to the
> fact the firewalls are flapping between backup and master and there are
> going to be multi master periods.
>
> net.inet.carp.allow=1
> net.inet.carp.preempt=1
> net.inet.carp.log=3
> net.inet6.ip6.forwarding=1
> net.inet6.ip6.redirect=0
> net.inet6.ip6.accept_rtadv=0
>
> I am also starting to read "Firewalling IPv6 with OpenBSD's pf (packet
> filter)".
>
> Thanks for your time, Andy.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Loïc Blot-2
Hello Andy,
here is on of my working configuration (OpenBSD 5.2)

inet 194.199.X.28 255.255.255.240 NONE
inet6 2001:660:abcd:1234::1:1 64
description "CARP server"
carpdev vlan603 vhid 62 advskew 1 carppeer 194.199.X.29 pass xxxxx

--
Best regards,

Loïc BLOT, Engineering
UNIX Systems, Security and Networks
http://www.unix-experience.fr


Le jeudi 29 août 2013 à 16:54 +0100, Andy a écrit :

> PS; I don't have MLD capable switches in all locations if that is a
> factor here regarding CARP messages being via IPv6 Multicast.
>
>
>
> On Thu 29 Aug 2013 15:57:29 BST, Andy wrote:
> > Hi everyone,
> >
> > I'm hoping someone can help me as I'm not having much luck with adding
> > IPv6 to the mix of our already working IPv4 setup.
> >
> > What should /etc/hostname.carpX look like for an IPv6 setup? Is this
> > correct;?
> >
> > inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3
> > advskew 0
> > inet6 2a00:7e0:0:a::1 64
> >
> > Or should I have a separate carpX interface for the IPv6?
> >
> > When I do a tcpdump on the master I see;
> > Aug 29 14:36:56.416723 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> > CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
> > Aug 29 14:36:56.416736 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> > fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
> > advbase=3 advskew=0 demote=33
> > Aug 29 14:36:56.420823 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
> > fe80::1 > ff02::1: icmp6: neighbor adv: tgt is fe80::200:5eff:fe00:101
> > Aug 29 14:36:56.420835 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
> > fe80::1 > ff02::1: icmp6: neighbor adv: tgt is 2a00:77e0:0:a::1
> > Aug 29 14:36:57.638468 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> > CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
> > Aug 29 14:36:57.641021 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> > fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
> > advbase=3 advskew=100 demote=0
> > Aug 29 14:37:01.049324 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> > CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
> > Aug 29 14:37:01.049685 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> > fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
> > advbase=3 advskew=100 demote=0
> > Aug 29 14:37:04.458514 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> > CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
> > Aug 29 14:37:04.462013 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> > fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
> > advbase=3 advskew=100 demote=0
> > Aug 29 14:37:06.648983 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> > CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
> > Aug 29 14:37:06.648996 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> > fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
> > advbase=3 advskew=0 demote=33
> >
> > I can see that the IPv6 CARP messages are using the link local address
> > and not the global IPv6 addresses I have configured? Why?? :(
> > This makes it really hard to write PF files as I would have to write
> > filter rules considering the each physical hosts MAC addresses :(
> >
> > I'm also seeing errors stating that the inet6 carp address I have
> > configured is a duplicate address! Although this could be due to the
> > fact the firewalls are flapping between backup and master and there are
> > going to be multi master periods.
> >
> > net.inet.carp.allow=1
> > net.inet.carp.preempt=1
> > net.inet.carp.log=3
> > net.inet6.ip6.forwarding=1
> > net.inet6.ip6.redirect=0
> > net.inet6.ip6.accept_rtadv=0
> >
> > I am also starting to read "Firewalling IPv6 with OpenBSD's pf (packet
> > filter)".
> >
> > Thanks for your time, Andy.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Andy Lemin
Thanks, I'll give that a try.

I have got it working with separate CARP interfaces for v4 and v6 but
was hoping to have it working under one interface.

Cheers, Andy.


On Thu 29 Aug 2013 17:13:37 BST, Loïc Blot wrote:
> Hello Andy,
> here is on of my working configuration (OpenBSD 5.2)
>
> inet 194.199.X.28 255.255.255.240 NONE
> inet6 2001:660:abcd:1234::1:1 64
> description "CARP server"
> carpdev vlan603 vhid 62 advskew 1 carppeer 194.199.X.29 pass xxxxx

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Todd T. Fries-2
In reply to this post by Andy Lemin
Penned by Andy on 20130829  9:57.29, we have:
| Hi everyone,
|
| I'm hoping someone can help me as I'm not having much luck with adding
| IPv6 to the mix of our already working IPv4 setup.
|
| What should /etc/hostname.carpX look like for an IPv6 setup? Is this
| correct;?
|
| inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3
| advskew 0
| inet6 2a00:7e0:0:a::1 64

Any 'inet6' except the first link local reference in a given hostname.if(4)
file should be followed by 'alias'.

Aka you need:

inet6 alias 2a00:7e0:0:a::1

The 64 is implicitly default, if you choose to explicitly list it thats ok too.
 
| Or should I have a separate carpX interface for the IPv6?
|
| When I do a tcpdump on the master I see;
| Aug 29 14:36:56.416723 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
| Aug 29 14:36:56.416736 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
| advbase=3 advskew=0 demote=33
| Aug 29 14:36:56.420823 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
| fe80::1 > ff02::1: icmp6: neighbor adv: tgt is fe80::200:5eff:fe00:101
| Aug 29 14:36:56.420835 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
| fe80::1 > ff02::1: icmp6: neighbor adv: tgt is 2a00:77e0:0:a::1
| Aug 29 14:36:57.638468 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
| Aug 29 14:36:57.641021 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
| advbase=3 advskew=100 demote=0
| Aug 29 14:37:01.049324 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
| Aug 29 14:37:01.049685 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
| advbase=3 advskew=100 demote=0
| Aug 29 14:37:04.458514 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
| Aug 29 14:37:04.462013 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
| advbase=3 advskew=100 demote=0
| Aug 29 14:37:06.648983 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
| Aug 29 14:37:06.648996 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
| advbase=3 advskew=0 demote=33
|
| I can see that the IPv6 CARP messages are using the link local address
| and not the global IPv6 addresses I have configured? Why?? :(
| This makes it really hard to write PF files as I would have to write
| filter rules considering the each physical hosts MAC addresses :(

Because multicast is on the local link not on the global addresses?

Can you not use pf to filter fe80::/8 address space?

| I'm also seeing errors stating that the inet6 carp address I have
| configured is a duplicate address! Although this could be due to the
| fact the firewalls are flapping between backup and master and there are
| going to be multi master periods.

I thought at one point there was a commit to ignore duplicate v6 ndp
due to this issue.  I can't find it right now though, so I don't know
if it is in 5.3 or not.

| net.inet.carp.allow=1
| net.inet.carp.preempt=1
| net.inet.carp.log=3
| net.inet6.ip6.forwarding=1
| net.inet6.ip6.redirect=0
| net.inet6.ip6.accept_rtadv=0
|
| I am also starting to read "Firewalling IPv6 with OpenBSD's pf (packet
| filter)".
|
| Thanks for your time, Andy.

Hope the above helps.
--
Todd Fries .. [hidden email]

 ____________________________________________
|                                            \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com            \  1.866.792.3418 (FAX)
| PO Box 16169, Oklahoma City, OK 73113-2169 \  sip:[hidden email]
| "..in support of free software solutions." \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Andy Lemin
On Thu 29 Aug 2013 18:37:53 BST, Todd T. Fries wrote:

> Penned by Andy on 20130829  9:57.29, we have:
> | Hi everyone,
> |
> | I'm hoping someone can help me as I'm not having much luck with adding
> | IPv6 to the mix of our already working IPv4 setup.
> |
> | What should /etc/hostname.carpX look like for an IPv6 setup? Is this
> | correct;?
> |
> | inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3
> | advskew 0
> | inet6 2a00:7e0:0:a::1 64
>
> Any 'inet6' except the first link local reference in a given hostname.if(4)
> file should be followed by 'alias'.
>
> Aka you need:
>
> inet6 alias 2a00:7e0:0:a::1
>
> The 64 is implicitly default, if you choose to explicitly list it thats ok too.
>

Ah, of course! I have a ton of IPv4 alias', but I didn't think to just
add an IPv6 alias :)

> | Or should I have a separate carpX interface for the IPv6?
> |
> | When I do a tcpdump on the master I see;
> | Aug 29 14:36:56.416723 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> | CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
> | Aug 29 14:36:56.416736 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> | fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
> | advbase=3 advskew=0 demote=33
> | Aug 29 14:36:56.420823 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
> | fe80::1 > ff02::1: icmp6: neighbor adv: tgt is fe80::200:5eff:fe00:101
> | Aug 29 14:36:56.420835 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
> | fe80::1 > ff02::1: icmp6: neighbor adv: tgt is 2a00:77e0:0:a::1
> | Aug 29 14:36:57.638468 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> | CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
> | Aug 29 14:36:57.641021 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> | fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
> | advbase=3 advskew=100 demote=0
> | Aug 29 14:37:01.049324 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> | CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
> | Aug 29 14:37:01.049685 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> | fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
> | advbase=3 advskew=100 demote=0
> | Aug 29 14:37:04.458514 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> | CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
> | Aug 29 14:37:04.462013 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> | fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
> | advbase=3 advskew=100 demote=0
> | Aug 29 14:37:06.648983 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
> | CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
> | Aug 29 14:37:06.648996 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
> | fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
> | advbase=3 advskew=0 demote=33
> |
> | I can see that the IPv6 CARP messages are using the link local address
> | and not the global IPv6 addresses I have configured? Why?? :(
> | This makes it really hard to write PF files as I would have to write
> | filter rules considering the each physical hosts MAC addresses :(
>
> Because multicast is on the local link not on the global addresses?
>
> Can you not use pf to filter fe80::/8 address space?
Actually yes that would be OK as it's only local to the link... I was
thinking I would have to filter the individual EUI64 addresses meaning
I would have had to do something with puppet to pull MAC's etc.. But
fe80::/8 should be ok thinking about it. Thanks.

>
> | I'm also seeing errors stating that the inet6 carp address I have
> | configured is a duplicate address! Although this could be due to the
> | fact the firewalls are flapping between backup and master and there are
> | going to be multi master periods.
>
> I thought at one point there was a commit to ignore duplicate v6 ndp
> due to this issue.  I can't find it right now though, so I don't know
> if it is in 5.3 or not.
Now you mention it, I think I saw that in the release notes for
-current (so should be 5.4). I'll ignore it for now. Thanks.

>
> | net.inet.carp.allow=1
> | net.inet.carp.preempt=1
> | net.inet.carp.log=3
> | net.inet6.ip6.forwarding=1
> | net.inet6.ip6.redirect=0
> | net.inet6.ip6.accept_rtadv=0
> |
> | I am also starting to read "Firewalling IPv6 with OpenBSD's pf (packet
> | filter)".
> |
> | Thanks for your time, Andy.
>
> Hope the above helps.

Thanks Todd, yes it does :) Can you recommend anything else that should
be done for IPv6 filtering/forwarding other than the pf rules
themselves? First time doing IPv6 on OBSD.

Cheers, Andy.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Stefan Sperling-8
On Thu, Aug 29, 2013 at 08:35:48PM +0100, Andy wrote:

> On Thu 29 Aug 2013 18:37:53 BST, Todd T. Fries wrote:
> >Penned by Andy on 20130829  9:57.29, we have:
> >| I'm also seeing errors stating that the inet6 carp address I have
> >| configured is a duplicate address! Although this could be due to the
> >| fact the firewalls are flapping between backup and master and there are
> >| going to be multi master periods.
> >
> >I thought at one point there was a commit to ignore duplicate v6 ndp
> >due to this issue.  I can't find it right now though, so I don't know
> >if it is in 5.3 or not.
> Now you mention it, I think I saw that in the release notes for
> -current (so should be 5.4). I'll ignore it for now. Thanks.

Probably this commit, which is in 5.4:
http://marc.info/?l=openbsd-cvs&m=136227095604126&w=2

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Todd T. Fries-2
In reply to this post by Andy Lemin
Penned by Andy on 20130829 14:35.48, we have:
| On Thu 29 Aug 2013 18:37:53 BST, Todd T. Fries wrote:
| >Penned by Andy on 20130829  9:57.29, we have:
| >| Hi everyone,
| >|
| >| I'm hoping someone can help me as I'm not having much luck with adding
| >| IPv6 to the mix of our already working IPv4 setup.
| >|
| >| What should /etc/hostname.carpX look like for an IPv6 setup? Is this
| >| correct;?
| >|
| >| inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3
| >| advskew 0
| >| inet6 2a00:7e0:0:a::1 64
| >
| >Any 'inet6' except the first link local reference in a given hostname.if(4)
| >file should be followed by 'alias'.
| >
| >Aka you need:
| >
| >inet6 alias 2a00:7e0:0:a::1
| >
| >The 64 is implicitly default, if you choose to explicitly list it thats ok too.
| >
|
| Ah, of course! I have a ton of IPv4 alias', but I didn't think to
| just add an IPv6 alias :)
|
| >| Or should I have a separate carpX interface for the IPv6?
| >|
| >| When I do a tcpdump on the master I see;
| >| Aug 29 14:36:56.416723 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| >| CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
| >| Aug 29 14:36:56.416736 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| >| fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
| >| advbase=3 advskew=0 demote=33
| >| Aug 29 14:36:56.420823 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
| >| fe80::1 > ff02::1: icmp6: neighbor adv: tgt is fe80::200:5eff:fe00:101
| >| Aug 29 14:36:56.420835 08:00:27:71:f4:ca 33:33:00:00:00:01 86dd 86:
| >| fe80::1 > ff02::1: icmp6: neighbor adv: tgt is 2a00:77e0:0:a::1
| >| Aug 29 14:36:57.638468 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| >| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
| >| Aug 29 14:36:57.641021 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| >| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
| >| advbase=3 advskew=100 demote=0
| >| Aug 29 14:37:01.049324 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| >| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
| >| Aug 29 14:37:01.049685 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| >| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
| >| advbase=3 advskew=100 demote=0
| >| Aug 29 14:37:04.458514 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| >| CARPv2-advertise 36: vhid=1 advbase=3 advskew=100 demote=0 (DF) [tos 0x10]
| >| Aug 29 14:37:04.462013 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| >| fe80::a00:27ff:fe88:bc8a > ff02::12: CARPv2-advertise 36: vhid=1
| >| advbase=3 advskew=100 demote=0
| >| Aug 29 14:37:06.648983 00:00:5e:00:01:01 01:00:5e:00:00:12 0800 70:
| >| CARPv2-advertise 36: vhid=1 advbase=3 advskew=0 demote=33 (DF) [tos 0x10]
| >| Aug 29 14:37:06.648996 00:00:5e:00:01:01 33:33:00:00:00:12 86dd 90:
| >| fe80::a00:27ff:fe71:f4ca > ff02::12: CARPv2-advertise 36: vhid=1
| >| advbase=3 advskew=0 demote=33
| >|
| >| I can see that the IPv6 CARP messages are using the link local address
| >| and not the global IPv6 addresses I have configured? Why?? :(
| >| This makes it really hard to write PF files as I would have to write
| >| filter rules considering the each physical hosts MAC addresses :(
| >
| >Because multicast is on the local link not on the global addresses?
| >
| >Can you not use pf(4) to filter fe80::/8 address space?
| Actually yes that would be OK as it's only local to the link... I
| was thinking I would have to filter the individual EUI64 addresses
| meaning I would have had to do something with puppet to pull MAC's
| etc.. But fe80::/8 should be ok thinking about it. Thanks.
|
| >
| >| I'm also seeing errors stating that the inet6 carp address I have
| >| configured is a duplicate address! Although this could be due to the
| >| fact the firewalls are flapping between backup and master and there are
| >| going to be multi master periods.
| >
| >I thought at one point there was a commit to ignore duplicate v6 ndp
| >due to this issue.  I can't find it right now though, so I don't know
| >if it is in 5.3 or not.
| Now you mention it, I think I saw that in the release notes for
| -current (so should be 5.4). I'll ignore it for now. Thanks.
|
| >
| >| net.inet.carp.allow=1
| >| net.inet.carp.preempt=1
| >| net.inet.carp.log=3
| >| net.inet6.ip6.forwarding=1
| >| net.inet6.ip6.redirect=0
| >| net.inet6.ip6.accept_rtadv=0
| >|
| >| I am also starting to read "Firewalling IPv6 with OpenBSD's pf(4) (packet
| >| filter)".
| >|
| >| Thanks for your time, Andy.
| >
| >Hope the above helps.
|
| Thanks Todd, yes it does :) Can you recommend anything else that
| should be done for IPv6 filtering/forwarding other than the pf(4) rules
| themselves? First time doing IPv6 on OBSD.

You have to be careful to not filter icmp6(4) on the link local multicast
subnets.  Aka ff02::/8 .. both source and destination.  If you wish to
filter out some icmp6(4) messages be sure you permit those that make ndp
work (neighbrsol/neighbradv specifically) then there's toobig, unrach,
echoreq, echorep, fqndreq, fqdnrep .. see icmp(4) and icmp6(4) for a
full list of icmp types and codes.

Bottom line is, with IPv6 instead of arp that pf(4) cannot currently block,
you have multicast ndp which can be blocked by pf(4), giving you more tools
to shoot yourself in the foot with.

Be sure you test well before assuming a given set of filter rules works ;-)

Also, because IPv6 has link-local, a given router only needs a single global
address per ethernet segment it wishes to advertise router advertisements
(via rtadvd(8)) on.  If you are not using rtadvd(4) on a given router, then one
is all you need, regardless of the ethernet segments you are on.  You can
route to link-local addresses just fine.

For example, every he.net tunnelbroker account wastes a whole /64
because it uses the global address on a /64 to route between the remote
and local endpoints on a point to point link. Then it further routes a
/64 to the tunnel endpoint.  It could route to the link local inside the
tunnel, but for whatever reason, they have chosen not to.

I'm told BGP doesn't work this way, but I'll leave those in the know on that
front to describe what I should not claim to understand well.

Also, in my local system, I sometimes would have to ping6(8) the default
route on an IPv6 client for me to access further, but since I've removed
carp and have one router, this has remained until I discovered running
rtsol(8) frequently solved the issue as well.  I'm thinking it might be a
switch issue, but haven't had a chance to isolate the issue further.

Thanks,
--
Todd Fries .. [hidden email]

 ____________________________________________
|                                            \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com            \  1.866.792.3418 (FAX)
| PO Box 16169, Oklahoma City, OK 73113-2169 \  sip:[hidden email]
| "..in support of free software solutions." \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Andy Lemin
In reply to this post by Todd T. Fries-2
On 29/08/13 18:37, Todd T. Fries wrote:

> Penned by Andy on 20130829  9:57.29, we have:
> | Hi everyone,
> |
> | I'm hoping someone can help me as I'm not having much luck with adding
> | IPv6 to the mix of our already working IPv4 setup.
> |
> | What should /etc/hostname.carpX look like for an IPv6 setup? Is this
> | correct;?
> |
> | inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3
> | advskew 0
> | inet6 2a00:7e0:0:a::1 64
>
> Any 'inet6' except the first link local reference in a given hostname.if(4)
> file should be followed by 'alias'.
>
> Aka you need:
>
> inet6 alias 2a00:7e0:0:a::1
>
> The 64 is implicitly default, if you choose to explicitly list it thats ok too.
>  

Hi guys,

Adding the inet6 as an alias didn't work for me.
When the first line is an 'inet' entry, adding an inet6 alias results in
errors when running /etc/netstart :(


And trying;
inet 194.199.X.28 255.255.255.240 NONE
inet6 2001:660:abcd:1234::1:1 64
description "CARP server"
carpdev vlan603 vhid 62 advskew 1 carppeer 194.199.X.29 pass xxxxx

Resulted in multi-master (no flip-flopping but permanently multi-master)
even if I removed the carpdev and carppeer attributes :(


I have tested both of these with PF disabled just encase a rule was
messing things up.
With pf enabled, does this rule satisfy CARP and is it sensible?;
pass in quick proto carp from { fe80::/8 } to { ff00::/8 } keep state
(no-sync)

The only way I have managed to get this to work with 5.3 is separate
carp devices, if I have to run two of course I will, but I would really
like to get it working under one for clarity.


PS; Todd,
Thanks you very much for your detailed thoughts on IPv6 regarding
filtering icmp6, ndp. Really appreciate your time to help.
For ndp is this rule sensible?;
pass quick proto icmp6 from { ff00::/8 } to { ff00::/8 }
I have just set-up an he.net tunnel at home ;)


Cheers :)
Andy.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Stefan Sperling-8
On Fri, Aug 30, 2013 at 10:08:56AM +0100, Andy wrote:
> Hi guys,
>
> Adding the inet6 as an alias didn't work for me.
> When the first line is an 'inet' entry, adding an inet6 alias
> results in errors when running /etc/netstart :(

I never had a need to use 'alias' for IPv6 addresses, even
when adding multiple addresses to an interface with ifconfig.

> And trying;
> inet 194.199.X.28 255.255.255.240 NONE
> inet6 2001:660:abcd:1234::1:1 64
> description "CARP server"
> carpdev vlan603 vhid 62 advskew 1 carppeer 194.199.X.29 pass xxxxx
>
> Resulted in multi-master (no flip-flopping but permanently
> multi-master) even if I removed the carpdev and carppeer attributes
> :(

I believe the carpdev needs an address in the same prefix as the carp
interface for things to work, because carp uses that information
to locate the carpdev for sending IPv6 multicast. Does the vlan603
interface have an IPv6 address in prefix 2001:660:abcd:1234::/64?

The config I use looks somewhat like this, and works fine for
both IPv4 and IPv6. Note that the carp peers' em interfaces
are plugged into a common switch and are not filtered by pf.

# cat hostname.em0                              
inet 10.2.84.33 255.255.255.0 NONE
inet6 2001:660:abcd:11::1 64
# cat /etc/hostname.carp0                            
inet 10.2.84.46 255.255.255.0 NONE vhid 1 pass xxx advbase 10
inet6 2001:660:abcd:11::14 64 vhid 1 pass xxx advbase 10

And on the slave:
# cat hostname.em0                              
inet 10.2.84.43 255.255.255.0 NONE
inet6 2001:660:abcd:11::11 64
# cat /etc/hostname.carp0                            
inet 10.2.84.46 255.255.255.0 NONE vhid 1 pass xxx advbase 10 advskew 200
inet6 2001:660:abcd:11::14 64 vhid 1 pass xxx advbase 10 advskew 200

Carp multicast traffic is broadcast across the entire LAN.
But it is authenticated so it cannot be spoofed (the password can
be up to 32 chars in length). I see no way around that unless someone
adds 'carppeer' support for IPv6. The carppeer option only works for
IPv4 right now, probably due to lack of time and personal itch.
ip_carp.c:carp_send_ad() would be the place to start hacking.

> I have tested both of these with PF disabled just encase a rule was
> messing things up.
> With pf enabled, does this rule satisfy CARP and is it sensible?;
> pass in quick proto carp from { fe80::/8 } to { ff00::/8 } keep
> state (no-sync)

Carp sends from fe80::/8 to ff02::/8.

If you can link your firewalls via a trusted network you could
probably just 'skip' the carpdev in pf.conf.

> The only way I have managed to get this to work with 5.3 is separate
> carp devices, if I have to run two of course I will, but I would
> really like to get it working under one for clarity.

Not sure why that worked. Hard to tell without knowing how
your other interfaces are configured.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Stuart Henderson
In reply to this post by Todd T. Fries-2
On 2013-08-29, Todd T. Fries <[hidden email]> wrote:
> Any 'inet6' except the first link local reference in a given hostname.if(4)
> file should be followed by 'alias'.
>
> Aka you need:
>
> inet6 alias 2a00:7e0:0:a::1

"alias" shouldn't be needed for v6, addresses added to an interface are
always treated as additional addresses..

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Stuart Henderson
In reply to this post by Andy Lemin
On 2013-08-29, Andy <[hidden email]> wrote:
> PS; I don't have MLD capable switches in all locations if that is a
> factor here regarding CARP messages being via IPv6 Multicast.

Not a problem - this just means the frames get flooded to all ports in
the vlan in that case (whereas if your switches could do MLD snooping
then frames going to ports not interested in them would be filtered).
This can be important for high bandwidth multicast (video, disk images,
etc) but shouldn't matter for carp.

>> Or should I have a separate carpX interface for the IPv6?

same interface is fine.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Andy Lemin
In reply to this post by Stefan Sperling-8
Thank you for all your help guys :)

I finally figured out what I was doing wrong (including one of the
problems being that I forgot to turn on one of the lab switches this
morning (not enough coffee!) ;)

For others, here is what I have done to get IPv6 working so far with one
CARP interface per subnet;

sysctl.conf;
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=3
net.inet6.ip6.forwarding=1
net.inet6.ip6.redirect=0
net.inet6.ip6.accept_rtadv=0

allow carp;
pass quick proto carp from { fe80::/8 } to { ff00::/8 } keep state (no-sync)
allow ndp;
pass quick proto icmp6 from { ff00::/8 } to { ff00::/8 }

/etc/hostname.*;
cat /etc/hostname.em0
inet 18.2.32.11 255.255.255.0
inet6 a00:7e0::b 64

cat /etc/hostname.em1
inet 10.0.10.2 255.255.255.0
inet6 a00:7e0:0:a::2 64

cat /etc/hostname.carp0
inet 18.2.32.10 255.255.255.0 18.2.32.255
inet6 a00:7e0::a 64
carpdev em0 carppeer 18.2.32.12 vhid 201 pass testpass advbase 3 advskew
0 description "WAN"

cat /etc/hostname.carp1
inet 10.0.10.1 255.255.255.0 10.0.10.255
inet6 a00:7e0:0:a::1 64
carpdev em1 carppeer 10.0.10.3 vhid 1 pass testpass advbase 3 advskew 0
description "LAN"

To enable IPv6 on Cisco;
interface GigabitEthernet0/0/1
   ip address 18.2.32.1 255.255.255.0
   ipv6 address a00:7e0::1/64
ipv6 unicast-routing

Cheers, Andy.


On 30/08/13 11:18, Stefan Sperling wrote:

> On Fri, Aug 30, 2013 at 10:08:56AM +0100, Andy wrote:
>> Hi guys,
>>
>> Adding the inet6 as an alias didn't work for me.
>> When the first line is an 'inet' entry, adding an inet6 alias
>> results in errors when running /etc/netstart :(
> I never had a need to use 'alias' for IPv6 addresses, even
> when adding multiple addresses to an interface with ifconfig.
>
>> And trying;
>> inet 194.199.X.28 255.255.255.240 NONE
>> inet6 2001:660:abcd:1234::1:1 64
>> description "CARP server"
>> carpdev vlan603 vhid 62 advskew 1 carppeer 194.199.X.29 pass xxxxx
>>
>> Resulted in multi-master (no flip-flopping but permanently
>> multi-master) even if I removed the carpdev and carppeer attributes
>> :(
> I believe the carpdev needs an address in the same prefix as the carp
> interface for things to work, because carp uses that information
> to locate the carpdev for sending IPv6 multicast. Does the vlan603
> interface have an IPv6 address in prefix 2001:660:abcd:1234::/64?
>
> The config I use looks somewhat like this, and works fine for
> both IPv4 and IPv6. Note that the carp peers' em interfaces
> are plugged into a common switch and are not filtered by pf.
>
> # cat hostname.em0
> inet 10.2.84.33 255.255.255.0 NONE
> inet6 2001:660:abcd:11::1 64
> # cat /etc/hostname.carp0
> inet 10.2.84.46 255.255.255.0 NONE vhid 1 pass xxx advbase 10
> inet6 2001:660:abcd:11::14 64 vhid 1 pass xxx advbase 10
>
> And on the slave:
> # cat hostname.em0
> inet 10.2.84.43 255.255.255.0 NONE
> inet6 2001:660:abcd:11::11 64
> # cat /etc/hostname.carp0
> inet 10.2.84.46 255.255.255.0 NONE vhid 1 pass xxx advbase 10 advskew 200
> inet6 2001:660:abcd:11::14 64 vhid 1 pass xxx advbase 10 advskew 200
>
> Carp multicast traffic is broadcast across the entire LAN.
> But it is authenticated so it cannot be spoofed (the password can
> be up to 32 chars in length). I see no way around that unless someone
> adds 'carppeer' support for IPv6. The carppeer option only works for
> IPv4 right now, probably due to lack of time and personal itch.
> ip_carp.c:carp_send_ad() would be the place to start hacking.
>
>> I have tested both of these with PF disabled just encase a rule was
>> messing things up.
>> With pf enabled, does this rule satisfy CARP and is it sensible?;
>> pass in quick proto carp from { fe80::/8 } to { ff00::/8 } keep
>> state (no-sync)
> Carp sends from fe80::/8 to ff02::/8.
>
> If you can link your firewalls via a trusted network you could
> probably just 'skip' the carpdev in pf.conf.
>
>> The only way I have managed to get this to work with 5.3 is separate
>> carp devices, if I have to run two of course I will, but I would
>> really like to get it working under one for clarity.
> Not sure why that worked. Hard to tell without knowing how
> your other interfaces are configured.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Todd T. Fries-2
In reply to this post by Andy Lemin
Penned by Andy on 20130830  4:08.56, we have:
| On 29/08/13 18:37, Todd T. Fries wrote:
| >Penned by Andy on 20130829  9:57.29, we have:
| >| Hi everyone,
| >|
| >| I'm hoping someone can help me as I'm not having much luck with adding
| >| IPv6 to the mix of our already working IPv4 setup.
| >|
| >| What should /etc/hostname.carpX look like for an IPv6 setup? Is this
| >| correct;?
| >|
| >| inet 10.0.10.1 255.255.255.0 10.0.10.255 vhid 1 pass temppass advbase 3
| >| advskew 0
| >| inet6 2a00:7e0:0:a::1 64
| >
| >Any 'inet6' except the first link local reference in a given hostname.if(4)
| >file should be followed by 'alias'.
| >
| >Aka you need:
| >
| >inet6 alias 2a00:7e0:0:a::1
| >
| >The 64 is implicitly default, if you choose to explicitly list it thats ok too.
|
| Hi guys,
|
| Adding the inet6 as an alias didn't work for me.
| When the first line is an 'inet' entry, adding an inet6 alias
| results in errors when running /etc/netstart :(
|
|
| And trying;
| inet 194.199.X.28 255.255.255.240 NONE
| inet6 2001:660:abcd:1234::1:1 64
| description "CARP server"
| carpdev vlan603 vhid 62 advskew 1 carppeer 194.199.X.29 pass xxxxx
|
| Resulted in multi-master (no flip-flopping but permanently
| multi-master) even if I removed the carpdev and carppeer attributes
| :(

Realize you have to do the exact same config on both hosts at the same
time.

I usually either manually type the same ifconfig commands on both hosts
and press enter in two nearby windows rapidly in succession.  Editing the
hostname.carpX to match for reboot is also useful.  If you're in testing
mode simply 'ifconfig carp0 down destroy; sh /etc/netstart carp0' on both
in rapid succession can also be an option.

Just remember, the key with carp is that all of the addresses on the carp
interface build up into a hash that must match the `other' system or both
systems will think they have a different config and you'll be stuck scratching
your head in permanent multi master mode, as you described above.
 
| I have tested both of these with PF disabled just encase a rule was
| messing things up.
| With pf enabled, does this rule satisfy CARP and is it sensible?;
| pass in quick proto carp from { fe80::/8 } to { ff00::/8 } keep
| state (no-sync)
|
| The only way I have managed to get this to work with 5.3 is separate
| carp devices, if I have to run two of course I will, but I would
| really like to get it working under one for clarity.
|
|
| PS; Todd,
| Thanks you very much for your detailed thoughts on IPv6 regarding
| filtering icmp6, ndp. Really appreciate your time to help.
| For ndp is this rule sensible?;
| pass quick proto icmp6 from { ff00::/8 } to { ff00::/8 }
| I have just set-up an he.net tunnel at home ;)

Do some tcpdump on pflog0 if you block other icmp6 codes (though I am an
advocate of universally enabling {echo,fqdn}{req,reply} .. if you have
abusers, block them via an overload rule or something, but permit
yourself the time proven luxury of 'ping6 host' to confirm its up from
wherever.

I think you'll find some { global, link local } <-> { fe80::/16,
ff02::/16 } activity. Yes I just realized /8 is the wrong prefixlen for
the lin local muticast and address space) activi
 
Thanks,
--
Todd Fries .. [hidden email]

 ____________________________________________
|                                            \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com            \  1.866.792.3418 (FAX)
| PO Box 16169, Oklahoma City, OK 73113-2169 \  sip:[hidden email]
| "..in support of free software solutions." \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Stuart Henderson
In reply to this post by Andy Lemin
On 2013-08-30, Andy <[hidden email]> wrote:
> cat /etc/hostname.carp0
> inet 18.2.32.10 255.255.255.0 18.2.32.255
> inet6 a00:7e0::a 64
> carpdev em0 carppeer 18.2.32.12 vhid 201 pass testpass advbase 3 advskew
> 0 description "WAN"

hmm, I wonder if we should extended the description of carppeer in
ifconfig(8) to make it clear that it's only for v4...

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Andy Lemin
Hi Stuart, yea I realised that after, it's also implied I guess as its
using an IPv4 address after all.

I will probably remove it as I didn't need it for IPv4 before. I was
just trying everything I thought might be relevant to get it working
when the real problem was not setting up my test environment properly...

Considering the differences between v4 and v6 (ndp etc), would carppeer
be more useful for v6 (I know it is currently v4 only)?

I would prefer to not have to use carppeer as it is another thing to
manage and configure correctly, but my priority is stability and
speed(does it improve the speed of CARP setup/detection etc)?

Thanks for your help :) Andy


On Sat 31 Aug 2013 23:25:12 BST, Stuart Henderson wrote:
> On 2013-08-30, Andy <[hidden email]> wrote:
>> cat /etc/hostname.carp0
>> inet 18.2.32.10 255.255.255.0 18.2.32.255
>> inet6 a00:7e0::a 64
>> carpdev em0 carppeer 18.2.32.12 vhid 201 pass testpass advbase 3 advskew
>> 0 description "WAN"
>
> hmm, I wonder if we should extended the description of carppeer in
> ifconfig(8) to make it clear that it's only for v4...

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Andy Lemin
Hi, one last question.

I am reading through lots of examples and documentation on OpenBSD and v6
and most seem to refer to adding the v6 address to /etc/hostname.X as an
'alias', e.g.;
inet 10.0.0.1 255.255.255.0
inet6 alias fec0:2029:f001:128::40 64

I have our test setup working now without the 'alias' directive, so should
it have an 'alias' or not?

I cannot see that it should, as its not an inet alias. The interface has
one inet, and one inet6.

If there were any additional inet or inet6 lines then those lines should
have the alias directive, but why should the first inet6 have an 'alias'
when it is not an alias address to the v4 address?

Sorry to obsess about the details on this but want to get this completely
correct in the eyes of the developers?

Cheers, Andy.



On Sun, 01 Sep 2013 13:55:27 +0100, Andy <[hidden email]> wrote:

> Hi Stuart, yea I realised that after, it's also implied I guess as its
> using an IPv4 address after all.
>
> I will probably remove it as I didn't need it for IPv4 before. I was
> just trying everything I thought might be relevant to get it working
> when the real problem was not setting up my test environment properly...
>
> Considering the differences between v4 and v6 (ndp etc), would carppeer
> be more useful for v6 (I know it is currently v4 only)?
>
> I would prefer to not have to use carppeer as it is another thing to
> manage and configure correctly, but my priority is stability and
> speed(does it improve the speed of CARP setup/detection etc)?
>
> Thanks for your help :) Andy
>
>
> On Sat 31 Aug 2013 23:25:12 BST, Stuart Henderson wrote:
>> On 2013-08-30, Andy <[hidden email]> wrote:
>>> cat /etc/hostname.carp0
>>> inet 18.2.32.10 255.255.255.0 18.2.32.255
>>> inet6 a00:7e0::a 64
>>> carpdev em0 carppeer 18.2.32.12 vhid 201 pass testpass advbase 3
advskew
>>> 0 description "WAN"
>>
>> hmm, I wonder if we should extended the description of carppeer in
>> ifconfig(8) to make it clear that it's only for v4...

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Todd T. Fries-2
Penned by andy on 20130904 15:21.22, we have:
| Hi, one last question.
|
| I am reading through lots of examples and documentation on OpenBSD and v6
| and most seem to refer to adding the v6 address to /etc/hostname.X as an
| 'alias', e.g.;
| inet 10.0.0.1 255.255.255.0
| inet6 alias fec0:2029:f001:128::40 64
|
| I have our test setup working now without the 'alias' directive, so should
| it have an 'alias' or not?
|
| I cannot see that it should, as its not an inet alias. The interface has
| one inet, and one inet6.
|
| If there were any additional inet or inet6 lines then those lines should
| have the alias directive, but why should the first inet6 have an 'alias'
| when it is not an alias address to the v4 address?
|
| Sorry to obsess about the details on this but want to get this completely
| correct in the eyes of the developers?
|
| Cheers, Andy.

At one point itojun@ had told me that the first IPv6 address is the link
local, all others are aliases.  ifconfig(8) would actually warn if you
did not use the 'alias' syntax when there was an existing address.  This
warning has subsequently been removed.

It has been since stated in this thread that 'ifconfig X inet6 2001:db8::1'
unconditionally adds that as an alias.

Note this is different than the IPv4 case where without an alias it would
remove the first IPv4 address while adding the new address to the end of
the interface list of addresses.

So it would seem 'inet6 alias 2001:db8::1' is not needed.  Experimenting
confirms this is the case.

My $.02 is that we should remove all mention of 'inet6 alias' in hostname.if(5)
while retaining the ability to handle it (e.g. in /etc/netstart).

Thanks,
 
| On Sun, 01 Sep 2013 13:55:27 +0100, Andy <[hidden email]> wrote:
| > Hi Stuart, yea I realised that after, it's also implied I guess as its
| > using an IPv4 address after all.
| >
| > I will probably remove it as I didn't need it for IPv4 before. I was
| > just trying everything I thought might be relevant to get it working
| > when the real problem was not setting up my test environment properly...
| >
| > Considering the differences between v4 and v6 (ndp etc), would carppeer
| > be more useful for v6 (I know it is currently v4 only)?
| >
| > I would prefer to not have to use carppeer as it is another thing to
| > manage and configure correctly, but my priority is stability and
| > speed(does it improve the speed of CARP setup/detection etc)?
| >
| > Thanks for your help :) Andy
| >
| >
| > On Sat 31 Aug 2013 23:25:12 BST, Stuart Henderson wrote:
| >> On 2013-08-30, Andy <[hidden email]> wrote:
| >>> cat /etc/hostname.carp0
| >>> inet 18.2.32.10 255.255.255.0 18.2.32.255
| >>> inet6 a00:7e0::a 64
| >>> carpdev em0 carppeer 18.2.32.12 vhid 201 pass testpass advbase 3
| advskew
| >>> 0 description "WAN"
| >>
| >> hmm, I wonder if we should extended the description of carppeer in
| >> ifconfig(8) to make it clear that it's only for v4...

--
Todd Fries .. [hidden email]

 ____________________________________________
|                                            \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com            \  1.866.792.3418 (FAX)
| PO Box 16169, Oklahoma City, OK 73113-2169 \  sip:[hidden email]
| "..in support of free software solutions." \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.3, CARP and IPv6

Andy Lemin
On 04/09/13 21:33, Todd T. Fries wrote:

> Penned by andy on 20130904 15:21.22, we have:
> | Hi, one last question.
> |
> | I am reading through lots of examples and documentation on OpenBSD and v6
> | and most seem to refer to adding the v6 address to /etc/hostname.X as an
> | 'alias', e.g.;
> | inet 10.0.0.1 255.255.255.0
> | inet6 alias fec0:2029:f001:128::40 64
> |
> | I have our test setup working now without the 'alias' directive, so should
> | it have an 'alias' or not?
> |
> | I cannot see that it should, as its not an inet alias. The interface has
> | one inet, and one inet6.
> |
> | If there were any additional inet or inet6 lines then those lines should
> | have the alias directive, but why should the first inet6 have an 'alias'
> | when it is not an alias address to the v4 address?
> |
> | Sorry to obsess about the details on this but want to get this completely
> | correct in the eyes of the developers?
> |
> | Cheers, Andy.
>
> At one point itojun@ had told me that the first IPv6 address is the link
> local, all others are aliases.  ifconfig(8) would actually warn if you
> did not use the 'alias' syntax when there was an existing address.  This
> warning has subsequently been removed.

Ahhh, that makes perfect sense! Thank you very much :)

>
> It has been since stated in this thread that 'ifconfig X inet6 2001:db8::1'
> unconditionally adds that as an alias.
>
> Note this is different than the IPv4 case where without an alias it would
> remove the first IPv4 address while adding the new address to the end of
> the interface list of addresses.
>
> So it would seem 'inet6 alias 2001:db8::1' is not needed.  Experimenting
> confirms this is the case.
>
> My $.02 is that we should remove all mention of 'inet6 alias' in hostname.if(5)
> while retaining the ability to handle it (e.g. in /etc/netstart).
>
> Thanks,
>  
> | On Sun, 01 Sep 2013 13:55:27 +0100, Andy <[hidden email]> wrote:
> | > Hi Stuart, yea I realised that after, it's also implied I guess as its
> | > using an IPv4 address after all.
> | >
> | > I will probably remove it as I didn't need it for IPv4 before. I was
> | > just trying everything I thought might be relevant to get it working
> | > when the real problem was not setting up my test environment properly...
> | >
> | > Considering the differences between v4 and v6 (ndp etc), would carppeer
> | > be more useful for v6 (I know it is currently v4 only)?
> | >
> | > I would prefer to not have to use carppeer as it is another thing to
> | > manage and configure correctly, but my priority is stability and
> | > speed(does it improve the speed of CARP setup/detection etc)?
> | >
> | > Thanks for your help :) Andy
> | >
> | >
> | > On Sat 31 Aug 2013 23:25:12 BST, Stuart Henderson wrote:
> | >> On 2013-08-30, Andy <[hidden email]> wrote:
> | >>> cat /etc/hostname.carp0
> | >>> inet 18.2.32.10 255.255.255.0 18.2.32.255
> | >>> inet6 a00:7e0::a 64
> | >>> carpdev em0 carppeer 18.2.32.12 vhid 201 pass testpass advbase 3
> | advskew
> | >>> 0 description "WAN"
> | >>
> | >> hmm, I wonder if we should extended the description of carppeer in
> | >> ifconfig(8) to make it clear that it's only for v4...