https://agora.nasqueron.org/api.php?action=feedcontributions&feedformat=atom&user=YousraNasqueron Agora - User contributions [en]2026-04-08T17:46:53ZUser contributionsMediaWiki 1.46.0-alphahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2514Operations grimoire/Deploy with Terraform2026-03-29T18:27:37Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP). The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
The AppRole credentials (role_id and secret_id) used by the script are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
Vault secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt. <br />
<br />
The Vault Secrets may need to be rotated, so we need a simple way to propagate<br />
updated credentials to routers. This is enabled by the mechanism<br />
introduced in D4026.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2513Operations grimoire/Deploy with Terraform2026-03-29T15:11:03Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP). The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
The AppRole credentials (role_id and secret_id) used by the script are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
Vault secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt. This done easily thanks to Linked to {{D|4026}}.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2512Operations grimoire/Deploy with Terraform2026-03-29T15:04:21Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP). The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
The AppRole credentials (role_id and secret_id) used by the script are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
Vault secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt. This done easily thanks to Linked to {{D|4026}}.<br />
<br />
<br />
<br />
When rotating the secrets OVH :<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2511Operations grimoire/Deploy with Terraform2026-03-29T15:02:37Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP). The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
The AppRole credentials (role_id and secret_id) used by the script are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
Vault secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt. This done easily thanks to Linked to {{D|4026}}.<br />
<br />
<br />
When rotating Vault secrets managed through Terraform:<br />
<br />
* Terraform must be applied again to update them in Vault<br />
* if Vault AppRole credentials are changed, they must also be propagated to the routers using Salt<br />
<br />
When rotating the secrets OVH :<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2510Operations grimoire/Deploy with Terraform2026-03-29T15:01:12Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP). The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
The AppRole credentials (role_id and secret_id) used by the script are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
Vault secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt. This done thanks to Linked to {{D|4026}}<br />
<br />
<br />
When rotating Vault secrets managed through Terraform:<br />
<br />
* Terraform must be applied again to update them in Vault<br />
* if Vault AppRole credentials are changed, they must also be propagated to the routers using Salt<br />
<br />
When rotating the secrets OVH :<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2509Protocol CARP2026-03-29T15:00:53Z<p>Yousra: /* ESXI and CARP */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer, a counter<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role or if the real Master was restart after. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
https://vincentdelft.be/post/post_20241115<br />
<br />
== Peer ==<br />
<br />
By default, CARP uses multicast to send advertisements. However, multicast traffic can be filtered, restricted and so unreliable. Configuring CARP to use unicast advertisements between peers can help ensure more stable and predictable high-availability operation.<br />
<br />
In addition to that, using CARP in unicast mode can be appropriate in a two-router topology, as communication only needs to occur between 2 specific peers.<br />
<br />
Above all IPsec (security added in a classic tunnel) protects unicast traffic, it does not protect (or protects very poorly) multicast traffic. So if we want CARP to be used with IPsec, peer is an excellent choice.<br />
<br />
Router-002 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.111 alias 51.68.252.230/32"'''<br />
<br />
Router-003 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.110 alias 51.68.252.230/32"'''<br />
<br />
<br />
We see that the Master router-003 sends advertissements to router-002.nasqueron.org/178.32.70.110 <br />
[[ File:Peer.png ]]<br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?query=carp<br />
<br />
https://docs.opnsense.org/manual/how-tos/carp.html<br />
<br />
https://www.kernel-panic.it/openbsd/carp/carp4.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2508Operations grimoire/Deploy with Terraform2026-03-29T14:34:51Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP). The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
The AppRole credentials (role_id and secret_id) used by the script are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
Vault secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
<br />
When rotating the secrets OVH :<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2507Operations grimoire/Deploy with Terraform2026-03-29T14:33:57Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP). The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
The AppRole credentials (role_id and secret_id) used by the script are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
Vault secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
<br />
When rotating the secrets Vault or OVH :<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2506Operations grimoire/Deploy with Terraform2026-03-29T14:33:11Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP). The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
The AppRole credentials (role_id and secret_id) used by the script are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
Vault secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating the secrets:<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2505Operations grimoire/Deploy with Terraform2026-03-29T14:29:49Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP). The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
The AppRole credentials (role_id and secret_id) used by the script are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
Secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating the secrets:<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2504Operations grimoire/Deploy with Terraform2026-03-29T14:24:27Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP). The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
The AppRole credentials (role_id and secret_id) used by the script are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
These are provisioned via Terraform and deployed to the routers using Salt.<br />
<br />
Secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating these secrets:<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
* Salt states must be re-applied to propagate updated AppRole credentials to the routers<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2503Operations grimoire/Deploy with Terraform2026-03-29T14:22:45Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003. <br />
The script authenticates to Vault using AppRole (via secretsmith) to retrieve them.<br />
<br />
They are then used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP).<br />
<br />
The AppRole credentials (role_id and secret_id) used by the routers are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
These are provisioned via Terraform and deployed to the routers using Salt.<br />
<br />
Secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating these secrets:<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
* Salt states must be re-applied to propagate updated AppRole credentials to the routers<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2502Operations grimoire/Deploy with Terraform2026-03-29T14:21:13Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003 using AppRole authentication (via secretsmith). <br />
They are used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP).<br />
<br />
The AppRole credentials (role_id and secret_id) used by the routers are stored in:<br />
<br />
'''ops/secrets/network/router/vault'''<br />
<br />
These are provisioned via Terraform and deployed to the routers using Salt.<br />
<br />
Secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating these secrets:<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
* Salt states must be re-applied to propagate updated AppRole credentials to the routers<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2501Operations grimoire/Deploy with Terraform2026-03-29T14:20:50Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
apps/network/carp-hyper-001-switch<br />
<br />
These credentials are accessed by router-002 and router-003 using AppRole authentication (via secretsmith). <br />
They are used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP).<br />
<br />
The AppRole credentials (role_id and secret_id) used by the routers are stored in:<br />
<br />
ops/secrets/network/router/vault<br />
<br />
These are provisioned via Terraform and deployed to the routers using Salt.<br />
<br />
Secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating these secrets:<br />
<br />
* Terraform must be applied again to update the secrets in Vault<br />
* Salt states must be re-applied to propagate updated AppRole credentials to the routers<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials or expired Vault authentication.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2500Operations grimoire/Deploy with Terraform2026-03-29T14:19:11Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003 and are used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP, that is using AppRole authentication (via secretsmith),<br />
<br />
Secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating these secrets:<br />
* Terraform must be applied again<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2499Operations grimoire/Deploy with Terraform2026-03-29T14:17:06Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003 and are used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP, that is using AppRole authentication (via secretsmith),<br />
<br />
Secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating these secrets:<br />
* Terraform must be applied again<br />
* Salt states must be re-applied to update the configuration on routers<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2498Operations grimoire/Deploy with Terraform2026-03-29T14:09:45Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by router-002 and router-003 that are using AppRole authentication (via secretsmith), and are used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP).<br />
<br />
Secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating these secrets:<br />
* Terraform must be applied again<br />
* Salt states must be re-applied to update the configuration on routers<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2497Operations grimoire/Deploy with Terraform2026-03-29T14:08:58Z<p>Yousra: /* CARP OVH secrets usage */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
'''apps/network/carp-hyper-001-switch'''<br />
<br />
These credentials are accessed by routers using AppRole authentication (via secretsmith), and are used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP).<br />
<br />
Secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating these secrets:<br />
* Terraform must be applied again<br />
* Salt states must be re-applied to update the configuration on routers<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Operations_grimoire/Deploy_with_Terraform&diff=2496Operations grimoire/Deploy with Terraform2026-03-29T14:00:31Z<p>Yousra: /* Propagate secrets (DRP) */</p>
<hr />
<div>== Where to work? ==<br />
We deploy from [[Complector]] using <code>/opt/salt/nasqueron-operations</code> as our local copy of rOPS, authoritative for both Salt and Terraform<br />
<br />
You need to belong to the <code>ops</code> group to be able to have access and have write-rights on the repository<br />
<br />
It's important to work from there to save a shared Terraform state.<br />
<br />
== Specific deployment notes ==<br />
=== Vault / OpenBao ===<br />
==== General notes ====<br />
;OpenTofu support<br />
As of 2026-02-07, the Vault provider isn't compiled for FreeBSD. You need to use Terraform instead.<br />
<br />
;Vault<br />
You need a Vault token to allow the provider to connect.<br />
<br />
You also need to set VAULT_ADDR to https://172.27.27.7:8200 as Vault doesn't listen on 127.0.0.1<br />
<br />
<syntaxhighlight lang="shell"><br />
$ export VAULT_ADDR=https://172.27.27.7:8200<br />
$ sudo /opt/salt/nasqueron-operations/utils/vault/issue-admin-token.py > ~/.vault-token<br />
<br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
</syntaxhighlight><br />
<br />
It could be interesting to maintain an alternative policy to admin for the Terraform provider, restricted to the current actions. Note benefits would be limited as those include policies management.<br />
<br />
==== Propagate secrets (DRP) ====<br />
;No automatic secret rotation<br />
Secrets rotation is disabled with a lifecycle management <code>ignore_changes = [ secret_id, ]</code>.<br />
<br />
To rotate a secret, it needs first to be destroyed from terraform state:<br />
<code>terraform destroy -target=module.viperserv_approle.vault_approle_auth_backend_role_secret_id.this</code><br />
<br />
;Full procedure <br />
Once the AppRole have been created in Vault, they need to be provisioned to the relevant configuration files.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ cd /opt/salt/nasqueron-operations/terraform/openbao<br />
$ terraform init # if you've a new entry requiring a module, it needs to be installed<br />
$ terraform plan<br />
$ terraform apply<br />
<br />
$ cd /opt/salt/nasqueron-operations<br />
$ salt windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config<br />
$ salt windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config<br />
# Missing for router<br />
</syntaxhighlight><br />
<br />
<div class="alert">Important. Each time you'll reprovision the secrets, they will change.<br />
<br />
Don't forget to always apply this full procedure.<br />
</div><br />
<br />
=== CARP OVH secrets usage ===<br />
<br />
The OVH credentials used by the CARP failover script are stored in Vault at:<br />
<br />
apps/network/carp-hyper-001-switch<br />
<br />
These credentials are accessed by routers using AppRole authentication (via secretsmith), and are used by a script triggered by devd to update the OVH failover IP MAC address depending on the CARP state (MASTER/BACKUP).<br />
<br />
Secrets are provisioned using Terraform (openbao module), and must be propagated to the routers using Salt.<br />
<br />
When rotating these secrets:<br />
* Terraform must be applied again<br />
* Salt states must be re-applied to update the configuration on routers<br />
<br />
Failing to do so may cause CARP failover to break due to invalid OVH credentials.<br />
<br />
== Table of Terraform states ==<br />
<br />
{| class="wikitable"<br />
|+ Terraform and OpenBao states<br />
|-<br />
! Configuration !! State back-end !! Path !! Software to use<br />
|-<br />
| openbao || On disk || /opt/salt/nasqueron-operations/terraform/openbao/terraform.tfstate || Terraform<br />
|}<br />
<br />
On disk paths are stored in Complector.<br />
<br />
== Troubleshoot ==<br />
=== Error: Module not installed ===<br />
<br />
You need to run <code>tofu init</code> to prepare for any new provider.<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu plan<br />
<br />
│ Error: Module not installed<br />
│ <br />
│ on rhyne_wyse.tf line 23:<br />
│ 23: module "rhyne_wyse_approle" {<br />
│ <br />
│ This module is not yet installed. Run "tofu init" to install all modules required by this configuration.<br />
</syntaxhighlight><br />
<br />
=== Error: Incompatible provider version ===<br />
<br />
<syntaxhighlight lang="shell"><br />
$ tofu init<br />
<br />
Initializing the backend...<br />
Initializing modules...<br />
- rhyne_wyse_approle in modules/app_credentials<br />
<br />
Initializing provider plugins...<br />
- Finding hashicorp/vault versions matching "5.3.0"...<br />
╷<br />
│ Error: Incompatible provider version<br />
│ <br />
│ Provider registry.opentofu.org/hashicorp/vault v5.3.0 does not have a package available for your current platform, freebsd_amd64.<br />
│ <br />
│ Provider releases are separate from OpenTofu CLI releases, so not all providers are available for all platforms. Other versions of this provider may have different platforms supported.<br />
</syntaxhighlight><br />
<br />
On OpenTofu, some modules are only compiled for Linux, not for FreeBSD.<br />
Switch to Terraform pending a solution to help the OpenTofu builds.<br />
<br />
[[Category:Operations grimoire]]<br />
[[Category:Terraform]]</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2491Protocol CARP2026-03-22T20:24:31Z<p>Yousra: </p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer, a counter<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role or if the real Master was restart after. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
https://vincentdelft.be/post/post_20241115<br />
<br />
== Peer ==<br />
<br />
By default, CARP uses multicast to send advertisements. However, multicast traffic can be filtered, restricted and so unreliable. Configuring CARP to use unicast advertisements between peers can help ensure more stable and predictable high-availability operation.<br />
<br />
In addition to that, using CARP in unicast mode can be appropriate in a two-router topology, as communication only needs to occur between 2 specific peers.<br />
<br />
Above all IPsec (security added in a classic tunnel) protects unicast traffic, it does not protect (or protects very poorly) multicast traffic. So if we want CARP to be used with IPsec, peer is an excellent choice.<br />
<br />
Router-002 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.111 alias 51.68.252.230/32"'''<br />
<br />
Router-003 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.110 alias 51.68.252.230/32"'''<br />
<br />
<br />
We see that the Master router-003 sends advertissements to router-002.nasqueron.org/178.32.70.110 <br />
[[ File:Peer.png ]]<br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?query=carp<br />
<br />
https://docs.opnsense.org/manual/how-tos/carp.html<br />
<br />
https://www.kernel-panic.it/openbsd/carp/carp4.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
== ESXI and CARP ==<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2482Protocol CARP2026-03-18T08:16:16Z<p>Yousra: /* Peer */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer, a counter<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role or if the real Master was restart after. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
https://vincentdelft.be/post/post_20241115<br />
<br />
== Peer ==<br />
<br />
By default, CARP uses multicast to send advertisements. However, multicast traffic can be filtered, restricted and so unreliable. Configuring CARP to use unicast advertisements between peers can help ensure more stable and predictable high-availability operation.<br />
<br />
In addition to that, using CARP in unicast mode can be appropriate in a two-router topology, as communication only needs to occur between 2 specific peers.<br />
<br />
Above all IPsec (security added in a classic tunnel) protects unicast traffic, it does not protect (or protects very poorly) multicast traffic. So if we want CARP to be used with IPsec, peer is an excellent choice.<br />
<br />
Router-002 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.111 alias 51.68.252.230/32"'''<br />
<br />
Router-003 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.110 alias 51.68.252.230/32"'''<br />
<br />
<br />
We see that the Master router-003 sends advertissements to router-002.nasqueron.org/178.32.70.110 <br />
[[ File:Peer.png ]]<br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?query=carp<br />
<br />
https://docs.opnsense.org/manual/how-tos/carp.html<br />
<br />
https://www.kernel-panic.it/openbsd/carp/carp4.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2481Protocol CARP2026-03-18T08:14:38Z<p>Yousra: /* Peer */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer, a counter<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role or if the real Master was restart after. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
https://vincentdelft.be/post/post_20241115<br />
<br />
== Peer ==<br />
<br />
By default, CARP uses multicast to send advertisements. However, multicast traffic can be filtered, restricted and so unreliable. Configuring CARP to use unicast advertisements between peers can help ensure more stable and predictable high-availability operation.<br />
<br />
In addition to that, using CARP in unicast mode can be appropriate in a two-router topology, as communication only needs to occur between 2 specific peers.<br />
<br />
Also IPsec (security added in a classic tunnel) protects unicast traffic, it does not protect (or protects very poorly) multicast traffic. So if we want CARP to be used with IPsec, peer is an excellent choice.<br />
<br />
Router-002 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.111 alias 51.68.252.230/32"'''<br />
<br />
Router-003 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.110 alias 51.68.252.230/32"'''<br />
<br />
<br />
We see that the Master router-003 sends advertissements to router-002.nasqueron.org/178.32.70.110 <br />
[[ File:Peer.png ]]<br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?query=carp<br />
<br />
https://docs.opnsense.org/manual/how-tos/carp.html<br />
<br />
https://www.kernel-panic.it/openbsd/carp/carp4.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2480Protocol CARP2026-03-17T08:26:47Z<p>Yousra: /* Master Election Process */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer, a counter<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role or if the real Master was restart after. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
https://vincentdelft.be/post/post_20241115<br />
<br />
== Peer ==<br />
<br />
By default, CARP uses multicast to send advertisements. However, multicast traffic can be filtered, restricted and so unreliable. Configuring CARP to use unicast advertisements between peers can help ensure more stable and predictable high-availability operation.<br />
<br />
In addition to that, using CARP in unicast mode can be appropriate in a two-router topology, as communication only needs to occur between 2 specific peers.<br />
<br />
Router-002 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.111 alias 51.68.252.230/32"'''<br />
<br />
Router-003 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.110 alias 51.68.252.230/32"'''<br />
<br />
<br />
We see that the Master router-003 sends advertissements to router-002.nasqueron.org/178.32.70.110 <br />
[[ File:Peer.png ]]<br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?query=carp<br />
<br />
https://docs.opnsense.org/manual/how-tos/carp.html<br />
<br />
https://www.kernel-panic.it/openbsd/carp/carp4.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2479Protocol CARP2026-03-16T21:39:21Z<p>Yousra: /* Peer */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role or if the real Master was restart after. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
https://vincentdelft.be/post/post_20241115<br />
<br />
== Peer ==<br />
<br />
By default, CARP uses multicast to send advertisements. However, multicast traffic can be filtered, restricted and so unreliable. Configuring CARP to use unicast advertisements between peers can help ensure more stable and predictable high-availability operation.<br />
<br />
In addition to that, using CARP in unicast mode can be appropriate in a two-router topology, as communication only needs to occur between 2 specific peers.<br />
<br />
Router-002 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.111 alias 51.68.252.230/32"'''<br />
<br />
Router-003 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.110 alias 51.68.252.230/32"'''<br />
<br />
<br />
We see that the Master router-003 sends advertissements to router-002.nasqueron.org/178.32.70.110 <br />
[[ File:Peer.png ]]<br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?query=carp<br />
<br />
https://docs.opnsense.org/manual/how-tos/carp.html<br />
<br />
https://www.kernel-panic.it/openbsd/carp/carp4.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2478Protocol CARP2026-03-16T21:35:40Z<p>Yousra: /* Peer */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role or if the real Master was restart after. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
https://vincentdelft.be/post/post_20241115<br />
<br />
== Peer ==<br />
<br />
By default, CARP uses multicast to send advertisements. However, multicast traffic can be filtered, restricted and so unreliable. Configuring CARP to use unicast advertisements between peers can help ensure more stable and predictable high-availability operation.<br />
<br />
In addition to that, using CARP in unicast mode can be appropriate in a two-router topology, as communication only needs to occur between 2 specific peers.<br />
<br />
Router-002 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.111 alias 51.68.252.230/32"'''<br />
<br />
Router-003 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.110 alias 51.68.252.230/32"'''<br />
<br />
<br />
We see that the Master router-003 sends advertissements to router-002.nasqueron.org/178.32.70.110 <br />
[[ File:Peer.png ]]<br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?query=carp<br />
<br />
https://docs.opnsense.org/manual/how-tos/carp.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=File:Peer.png&diff=2477File:Peer.png2026-03-16T21:33:07Z<p>Yousra: </p>
<hr />
<div></div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2476Protocol CARP2026-03-16T21:28:14Z<p>Yousra: /* Preemption */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role or if the real Master was restart after. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
https://vincentdelft.be/post/post_20241115<br />
<br />
== Peer ==<br />
<br />
By default, CARP uses multicast to send advertisements. However, multicast traffic can be filtered, restricted and so unreliable. Configuring CARP to use unicast advertisements between peers can help ensure more stable and predictable high-availability operation.<br />
<br />
In addition to that, using CARP in unicast mode can be appropriate in a two-router topology, as communication only needs to occur between 2 specific peers.<br />
<br />
Router-002 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.111 alias 51.68.252.230/32"'''<br />
<br />
Router-003 : <br />
<br />
'''ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass seediez7ae7LooFevohshae4oot0EeR peer 178.32.70.110 alias 51.68.252.230/32"'''<br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?query=carp<br />
<br />
https://docs.opnsense.org/manual/how-tos/carp.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2475Protocol CARP2026-03-16T13:41:59Z<p>Yousra: /* Preemption */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role or if the real Master was restart after. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
https://vincentdelft.be/post/post_20241115<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2474Protocol CARP2026-03-16T13:35:27Z<p>Yousra: /* Preemption */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role or if the real Master was restart after. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2473Protocol CARP2026-03-16T13:34:28Z<p>Yousra: </p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Preemption ==<br />
<br />
In fact, after some research, I discovered that on FreeBSD, the preemption behavior of CARP (Common Address Redundancy Protocol) is controlled by the kernel parameter net.inet.carp.preempt. This parameter allows a router with a higher priority (a lower advskew) to become MASTER, even if another router is already active in that role. To check if preemption is enabled, you can use the command : <br />
<br />
'''sysctl net.inet.carp.preempt'''<br />
<br />
If the returned value is 0, preemption is disabled, and the currently MASTER router will retain that role as long as it continues to send its CARP advertisements. <br />
<br />
To temporarily enable preemption, simply run : '''sysctl net.inet.carp.preempt=1'''. <br />
<br />
To make this behavior permanent, you must add the line '''net.inet.carp.preempt=1''' to the /etc/sysctl.conf file. <br />
<br />
Sources : <br />
<br />
https://man.freebsd.org/cgi/man.cgi?carp(4)<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2472Protocol CARP2026-03-13T11:30:11Z<p>Yousra: /* Introduction and history */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later implemented directly in the kernel of other BSD systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2471Protocol CARP2026-03-12T10:03:21Z<p>Yousra: /* Master Election Process */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority.<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the CARP priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2470Protocol CARP2026-03-09T20:49:49Z<p>Yousra: </p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Address Multicast CARP ==<br />
<br />
In the Common Address Redundancy Protocol (CARP), routers communicate with each other using a multicast address. CARP advertisements are sent to the IPv4 multicast address '''224.0.0.18''', which allows all routers participating in the CARP group to receive the messages simultaneously. At the Ethernet level, this multicast IP address corresponds to the multicast MAC address '''01:00:5e:00:00:12'''.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2469Protocol CARP2026-03-09T20:40:01Z<p>Yousra: /* ESXI and CARP */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the Master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the Master router. When a failover occurs, the Backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2468Protocol CARP2026-03-09T20:32:17Z<p>Yousra: /* ESXI and CARP */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the master router. When a failover occurs, the backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2467Protocol CARP2026-03-09T20:30:39Z<p>Yousra: /* ESXI and CARP */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the master router. When a failover occurs, the backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
Sources : <br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2466Protocol CARP2026-03-09T20:30:23Z<p>Yousra: /* ESXI and CARP */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the master router. When a failover occurs, the backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
Sources : <br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
Linked to {{T|2227}}</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2465Protocol CARP2026-03-09T20:06:20Z<p>Yousra: /* ESXI and CARP */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the master router. When a failover occurs, the backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
Linked to {{T|2227}}<br />
<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2464Protocol CARP2026-03-09T20:06:08Z<p>Yousra: /* Automatic blue/green deployment */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the master router. When a failover occurs, the backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2463Protocol CARP2026-03-09T20:05:45Z<p>Yousra: /* ESXI and CARP */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
<br />
Linked to {{T|2227}}<br />
<br />
== ESXI and CARP ==<br />
<br />
When using Common Address Redundancy Protocol in a virtualized environment such as VMware ESXi, specific security settings must be adjusted on the virtual switch. CARP relies on the use of a virtual MAC address that can move between routers depending on which device is currently the master. However, ESXi applies strict security policies by default to prevent virtual machines from sending or receiving traffic with unexpected MAC addresses. To ensure that CARP functions correctly, three settings must be enabled on the vSwitch or port group.<br />
<br />
First, '''Promiscuous Mode''' must be enabled. This allows a virtual machine to receive all frames circulating on the virtual network, even if the destination MAC address does not match the interface’s MAC address. This is important for CARP because routers must receive multicast advertisements sent to the CARP group.<br />
<br />
Second, '''MAC Address Changes''' must be allowed. CARP dynamically assigns a virtual MAC address to the master router. When a failover occurs, the backup router must adopt this same virtual MAC address. If ESXi blocks MAC address changes, the router will not be able to assume the virtual MAC address and the failover mechanism will fail.<br />
<br />
Finally, '''Forged Transmits''' must also be permitted. This option allows a virtual machine to send frames with a source MAC address different from the one originally assigned to the virtual network interface. Since CARP advertisements and ARP responses are sent using the virtual MAC address rather than the physical interface MAC address, this setting is required to allow those frames to be transmitted correctly.<br />
<br />
Together, these three settings ensure that CARP redundancy mechanisms operate properly in a virtualized ESXi network environment.<br />
<br />
Configuration to enable "Promiscuous Mode", “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
<br />
<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2462Protocol CARP2026-03-09T19:51:06Z<p>Yousra: /* Distribute traffic */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
<br />
Linked to {{T|2227}}<br />
<br />
== ESXI and CARP ==<br />
<br />
The current infrastructure relies on two distinct networks at the ESXI hypervisor level:<br />
<br />
- An internal network 172.27.27.0/28, referred to as IntraNought, used for internal communication and management.<br />
<br />
- A public network used for public IP addresses exposed to the Internet.<br />
<br />
The objective now is to evaluate the possibility of implementing an active/active model so that both routers would receive traffic during normal operation, while still maintaining high availability through CARP. <br />
<br />
On the internal network (IntraNought), configuring CARP does not introduce a significant complexity. One router can operate as master and the other as backup. We will configure a first VHID.<br />
<br />
However, on the public network, a constraint exists. Public IP addresses (IPFO) provided by OVH are associated with a specific MAC address. If both routers need to use the same public IP address, they must present the same MAC address.<br />
<br />
By default, the ESXi vSwitch blocks situations where two virtual machines use the same MAC address. This requires enabling specific settings such as Promiscuous Mode, MAC Address Changes and Forged Transmits. It is technically feasible, but this adds complexity and may require network isolation by using a dedicated vSwitch for the routers.<br />
<br />
Finally, even if both routers are active, they run on the same hypervisor. This means the hypervisor is a Single Point of Failure (SPOF). If the physical host fails, both routers would go down at the same time, so the redundancy only exists at the virtual level, not at the hardware level.<br />
<br />
<br />
<br />
'''But at this point, a key question remains: If two VMs share the same MAC address, how does the vSwitch decide which VM should receive the traffic? Could it send the frame to the wrong VM? Or both ?'''<br />
<br />
In our setup, two routers share the same virtual public IP and therefore the same virtual MAC address using CARP. However, only one router is active (the master) at a time.<br />
<br />
When the master sends traffic, the ESXi vSwitch learns the virtual MAC address from the source MAC of the frames it receives. It then associates that MAC address with the master’s port. As a result, any incoming traffic destined for that MAC is forwarded only to the active router.<br />
<br />
The backup router has the same virtual MAC configured, but it does not actively use it while in backup state. It does not respond to ARP requests and does not send traffic using that MAC. Therefore, the vSwitch does not associate the MAC with the backup’s port.<br />
<br />
If a failover occurs, the backup router becomes master and starts sending traffic with the same virtual MAC. The vSwitch detects that the MAC now appears on a different port and updates its table. Traffic is then forwarded to the new master.<br />
<br />
Security settings such as “MAC Address Changes” and “Forged Transmits” must be set to Accept to allow this MAC movement between ports and prevent ESXi from blocking the traffic as a potential MAC spoofing attempt.<br />
<br />
Regarding Promiscuous Mode, VMware documentation states: “Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire.” This means that the filtering normally performed by the virtual network adapter based on the destination MAC address is disabled. As a result, the guest operating system can receive all traffic visible on that VLAN. However, this setting does not modify the forwarding logic of the vSwitch itself. The vSwitch continues to perform standard Layer 2 MAC learning and forwards unicast traffic to a single port at a time. Therefore, even with Promiscuous Mode enabled, the vSwitch does not behave like a hub. Promiscuous mode is mainly used for traffic monitoring or packet sniffing, it is not required in our case.<br />
<br />
Also, VMware documentation explicitly mentions legitimate scenarios where multiple adapters share the same MAC address, such as Microsoft NLB in unicast mode. This confirms that using a shared virtual MAC with CARP is a supported and valid design pattern.<br />
<br />
<br />
<br />
Configuration to enable “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2461Protocol CARP2026-03-09T19:49:07Z<p>Yousra: /* Priority vs advskew. */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the Master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the Master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the Master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in Backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the Master or Backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
<br />
Linked to {{T|2227}}<br />
<br />
== Distribute traffic ==<br />
<br />
The current infrastructure relies on two distinct networks at the ESXI hypervisor level:<br />
<br />
- An internal network 172.27.27.0/28, referred to as IntraNought, used for internal communication and management.<br />
<br />
- A public network used for public IP addresses exposed to the Internet.<br />
<br />
The objective now is to evaluate the possibility of implementing an active/active model so that both routers would receive traffic during normal operation, while still maintaining high availability through CARP. <br />
<br />
On the internal network (IntraNought), configuring CARP does not introduce a significant complexity. One router can operate as master and the other as backup. We will configure a first VHID.<br />
<br />
However, on the public network, a constraint exists. Public IP addresses (IPFO) provided by OVH are associated with a specific MAC address. If both routers need to use the same public IP address, they must present the same MAC address.<br />
<br />
By default, the ESXi vSwitch blocks situations where two virtual machines use the same MAC address. This requires enabling specific settings such as Promiscuous Mode, MAC Address Changes and Forged Transmits. It is technically feasible, but this adds complexity and may require network isolation by using a dedicated vSwitch for the routers.<br />
<br />
Finally, even if both routers are active, they run on the same hypervisor. This means the hypervisor is a Single Point of Failure (SPOF). If the physical host fails, both routers would go down at the same time, so the redundancy only exists at the virtual level, not at the hardware level.<br />
<br />
<br />
<br />
'''But at this point, a key question remains: If two VMs share the same MAC address, how does the vSwitch decide which VM should receive the traffic? Could it send the frame to the wrong VM? Or both ?'''<br />
<br />
In our setup, two routers share the same virtual public IP and therefore the same virtual MAC address using CARP. However, only one router is active (the master) at a time.<br />
<br />
When the master sends traffic, the ESXi vSwitch learns the virtual MAC address from the source MAC of the frames it receives. It then associates that MAC address with the master’s port. As a result, any incoming traffic destined for that MAC is forwarded only to the active router.<br />
<br />
The backup router has the same virtual MAC configured, but it does not actively use it while in backup state. It does not respond to ARP requests and does not send traffic using that MAC. Therefore, the vSwitch does not associate the MAC with the backup’s port.<br />
<br />
If a failover occurs, the backup router becomes master and starts sending traffic with the same virtual MAC. The vSwitch detects that the MAC now appears on a different port and updates its table. Traffic is then forwarded to the new master.<br />
<br />
Security settings such as “MAC Address Changes” and “Forged Transmits” must be set to Accept to allow this MAC movement between ports and prevent ESXi from blocking the traffic as a potential MAC spoofing attempt.<br />
<br />
Regarding Promiscuous Mode, VMware documentation states: “Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire.” This means that the filtering normally performed by the virtual network adapter based on the destination MAC address is disabled. As a result, the guest operating system can receive all traffic visible on that VLAN. However, this setting does not modify the forwarding logic of the vSwitch itself. The vSwitch continues to perform standard Layer 2 MAC learning and forwards unicast traffic to a single port at a time. Therefore, even with Promiscuous Mode enabled, the vSwitch does not behave like a hub. Promiscuous mode is mainly used for traffic monitoring or packet sniffing, it is not required in our case.<br />
<br />
Also, VMware documentation explicitly mentions legitimate scenarios where multiple adapters share the same MAC address, such as Microsoft NLB in unicast mode. This confirms that using a shared virtual MAC with CARP is a supported and valid design pattern.<br />
<br />
<br />
<br />
Configuration to enable “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2460Protocol CARP2026-03-09T19:48:16Z<p>Yousra: </p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the master or backup role. However, advskew can also be called "CARP priority".<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
<br />
Linked to {{T|2227}}<br />
<br />
== Distribute traffic ==<br />
<br />
The current infrastructure relies on two distinct networks at the ESXI hypervisor level:<br />
<br />
- An internal network 172.27.27.0/28, referred to as IntraNought, used for internal communication and management.<br />
<br />
- A public network used for public IP addresses exposed to the Internet.<br />
<br />
The objective now is to evaluate the possibility of implementing an active/active model so that both routers would receive traffic during normal operation, while still maintaining high availability through CARP. <br />
<br />
On the internal network (IntraNought), configuring CARP does not introduce a significant complexity. One router can operate as master and the other as backup. We will configure a first VHID.<br />
<br />
However, on the public network, a constraint exists. Public IP addresses (IPFO) provided by OVH are associated with a specific MAC address. If both routers need to use the same public IP address, they must present the same MAC address.<br />
<br />
By default, the ESXi vSwitch blocks situations where two virtual machines use the same MAC address. This requires enabling specific settings such as Promiscuous Mode, MAC Address Changes and Forged Transmits. It is technically feasible, but this adds complexity and may require network isolation by using a dedicated vSwitch for the routers.<br />
<br />
Finally, even if both routers are active, they run on the same hypervisor. This means the hypervisor is a Single Point of Failure (SPOF). If the physical host fails, both routers would go down at the same time, so the redundancy only exists at the virtual level, not at the hardware level.<br />
<br />
<br />
<br />
'''But at this point, a key question remains: If two VMs share the same MAC address, how does the vSwitch decide which VM should receive the traffic? Could it send the frame to the wrong VM? Or both ?'''<br />
<br />
In our setup, two routers share the same virtual public IP and therefore the same virtual MAC address using CARP. However, only one router is active (the master) at a time.<br />
<br />
When the master sends traffic, the ESXi vSwitch learns the virtual MAC address from the source MAC of the frames it receives. It then associates that MAC address with the master’s port. As a result, any incoming traffic destined for that MAC is forwarded only to the active router.<br />
<br />
The backup router has the same virtual MAC configured, but it does not actively use it while in backup state. It does not respond to ARP requests and does not send traffic using that MAC. Therefore, the vSwitch does not associate the MAC with the backup’s port.<br />
<br />
If a failover occurs, the backup router becomes master and starts sending traffic with the same virtual MAC. The vSwitch detects that the MAC now appears on a different port and updates its table. Traffic is then forwarded to the new master.<br />
<br />
Security settings such as “MAC Address Changes” and “Forged Transmits” must be set to Accept to allow this MAC movement between ports and prevent ESXi from blocking the traffic as a potential MAC spoofing attempt.<br />
<br />
Regarding Promiscuous Mode, VMware documentation states: “Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire.” This means that the filtering normally performed by the virtual network adapter based on the destination MAC address is disabled. As a result, the guest operating system can receive all traffic visible on that VLAN. However, this setting does not modify the forwarding logic of the vSwitch itself. The vSwitch continues to perform standard Layer 2 MAC learning and forwards unicast traffic to a single port at a time. Therefore, even with Promiscuous Mode enabled, the vSwitch does not behave like a hub. Promiscuous mode is mainly used for traffic monitoring or packet sniffing, it is not required in our case.<br />
<br />
Also, VMware documentation explicitly mentions legitimate scenarios where multiple adapters share the same MAC address, such as Microsoft NLB in unicast mode. This confirms that using a shared virtual MAC with CARP is a supported and valid design pattern.<br />
<br />
<br />
<br />
Configuration to enable “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2459Protocol CARP2026-03-09T19:47:09Z<p>Yousra: /* Priority vs advskew. */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the master or backup role. However, advskew can also be called "CARP priority".<br />
<br />
<br />
Linked to {{T|2227}}<br />
<br />
== Distribute traffic ==<br />
<br />
The current infrastructure relies on two distinct networks at the ESXI hypervisor level:<br />
<br />
- An internal network 172.27.27.0/28, referred to as IntraNought, used for internal communication and management.<br />
<br />
- A public network used for public IP addresses exposed to the Internet.<br />
<br />
The objective now is to evaluate the possibility of implementing an active/active model so that both routers would receive traffic during normal operation, while still maintaining high availability through CARP. <br />
<br />
On the internal network (IntraNought), configuring CARP does not introduce a significant complexity. One router can operate as master and the other as backup. We will configure a first VHID.<br />
<br />
However, on the public network, a constraint exists. Public IP addresses (IPFO) provided by OVH are associated with a specific MAC address. If both routers need to use the same public IP address, they must present the same MAC address.<br />
<br />
By default, the ESXi vSwitch blocks situations where two virtual machines use the same MAC address. This requires enabling specific settings such as Promiscuous Mode, MAC Address Changes and Forged Transmits. It is technically feasible, but this adds complexity and may require network isolation by using a dedicated vSwitch for the routers.<br />
<br />
Finally, even if both routers are active, they run on the same hypervisor. This means the hypervisor is a Single Point of Failure (SPOF). If the physical host fails, both routers would go down at the same time, so the redundancy only exists at the virtual level, not at the hardware level.<br />
<br />
<br />
<br />
'''But at this point, a key question remains: If two VMs share the same MAC address, how does the vSwitch decide which VM should receive the traffic? Could it send the frame to the wrong VM? Or both ?'''<br />
<br />
In our setup, two routers share the same virtual public IP and therefore the same virtual MAC address using CARP. However, only one router is active (the master) at a time.<br />
<br />
When the master sends traffic, the ESXi vSwitch learns the virtual MAC address from the source MAC of the frames it receives. It then associates that MAC address with the master’s port. As a result, any incoming traffic destined for that MAC is forwarded only to the active router.<br />
<br />
The backup router has the same virtual MAC configured, but it does not actively use it while in backup state. It does not respond to ARP requests and does not send traffic using that MAC. Therefore, the vSwitch does not associate the MAC with the backup’s port.<br />
<br />
If a failover occurs, the backup router becomes master and starts sending traffic with the same virtual MAC. The vSwitch detects that the MAC now appears on a different port and updates its table. Traffic is then forwarded to the new master.<br />
<br />
Security settings such as “MAC Address Changes” and “Forged Transmits” must be set to Accept to allow this MAC movement between ports and prevent ESXi from blocking the traffic as a potential MAC spoofing attempt.<br />
<br />
Regarding Promiscuous Mode, VMware documentation states: “Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire.” This means that the filtering normally performed by the virtual network adapter based on the destination MAC address is disabled. As a result, the guest operating system can receive all traffic visible on that VLAN. However, this setting does not modify the forwarding logic of the vSwitch itself. The vSwitch continues to perform standard Layer 2 MAC learning and forwards unicast traffic to a single port at a time. Therefore, even with Promiscuous Mode enabled, the vSwitch does not behave like a hub. Promiscuous mode is mainly used for traffic monitoring or packet sniffing, it is not required in our case.<br />
<br />
Also, VMware documentation explicitly mentions legitimate scenarios where multiple adapters share the same MAC address, such as Microsoft NLB in unicast mode. This confirms that using a shared virtual MAC with CARP is a supported and valid design pattern.<br />
<br />
<br />
<br />
Configuration to enable “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2458Protocol CARP2026-03-09T19:39:11Z<p>Yousra: /* Virtual Mac Address */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the vhid2 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the master or backup role.<br />
<br />
<br />
<br />
<br />
Linked to {{T|2227}}<br />
<br />
== Distribute traffic ==<br />
<br />
The current infrastructure relies on two distinct networks at the ESXI hypervisor level:<br />
<br />
- An internal network 172.27.27.0/28, referred to as IntraNought, used for internal communication and management.<br />
<br />
- A public network used for public IP addresses exposed to the Internet.<br />
<br />
The objective now is to evaluate the possibility of implementing an active/active model so that both routers would receive traffic during normal operation, while still maintaining high availability through CARP. <br />
<br />
On the internal network (IntraNought), configuring CARP does not introduce a significant complexity. One router can operate as master and the other as backup. We will configure a first VHID.<br />
<br />
However, on the public network, a constraint exists. Public IP addresses (IPFO) provided by OVH are associated with a specific MAC address. If both routers need to use the same public IP address, they must present the same MAC address.<br />
<br />
By default, the ESXi vSwitch blocks situations where two virtual machines use the same MAC address. This requires enabling specific settings such as Promiscuous Mode, MAC Address Changes and Forged Transmits. It is technically feasible, but this adds complexity and may require network isolation by using a dedicated vSwitch for the routers.<br />
<br />
Finally, even if both routers are active, they run on the same hypervisor. This means the hypervisor is a Single Point of Failure (SPOF). If the physical host fails, both routers would go down at the same time, so the redundancy only exists at the virtual level, not at the hardware level.<br />
<br />
<br />
<br />
'''But at this point, a key question remains: If two VMs share the same MAC address, how does the vSwitch decide which VM should receive the traffic? Could it send the frame to the wrong VM? Or both ?'''<br />
<br />
In our setup, two routers share the same virtual public IP and therefore the same virtual MAC address using CARP. However, only one router is active (the master) at a time.<br />
<br />
When the master sends traffic, the ESXi vSwitch learns the virtual MAC address from the source MAC of the frames it receives. It then associates that MAC address with the master’s port. As a result, any incoming traffic destined for that MAC is forwarded only to the active router.<br />
<br />
The backup router has the same virtual MAC configured, but it does not actively use it while in backup state. It does not respond to ARP requests and does not send traffic using that MAC. Therefore, the vSwitch does not associate the MAC with the backup’s port.<br />
<br />
If a failover occurs, the backup router becomes master and starts sending traffic with the same virtual MAC. The vSwitch detects that the MAC now appears on a different port and updates its table. Traffic is then forwarded to the new master.<br />
<br />
Security settings such as “MAC Address Changes” and “Forged Transmits” must be set to Accept to allow this MAC movement between ports and prevent ESXi from blocking the traffic as a potential MAC spoofing attempt.<br />
<br />
Regarding Promiscuous Mode, VMware documentation states: “Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire.” This means that the filtering normally performed by the virtual network adapter based on the destination MAC address is disabled. As a result, the guest operating system can receive all traffic visible on that VLAN. However, this setting does not modify the forwarding logic of the vSwitch itself. The vSwitch continues to perform standard Layer 2 MAC learning and forwards unicast traffic to a single port at a time. Therefore, even with Promiscuous Mode enabled, the vSwitch does not behave like a hub. Promiscuous mode is mainly used for traffic monitoring or packet sniffing, it is not required in our case.<br />
<br />
Also, VMware documentation explicitly mentions legitimate scenarios where multiple adapters share the same MAC address, such as Microsoft NLB in unicast mode. This confirms that using a shared virtual MAC with CARP is a supported and valid design pattern.<br />
<br />
<br />
<br />
Configuration to enable “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2457Protocol CARP2026-03-09T19:17:27Z<p>Yousra: /* Virtual Mac Address */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the VIP 51.68.252.230 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the master or backup role.<br />
<br />
<br />
<br />
<br />
Linked to {{T|2227}}<br />
<br />
== Distribute traffic ==<br />
<br />
The current infrastructure relies on two distinct networks at the ESXI hypervisor level:<br />
<br />
- An internal network 172.27.27.0/28, referred to as IntraNought, used for internal communication and management.<br />
<br />
- A public network used for public IP addresses exposed to the Internet.<br />
<br />
The objective now is to evaluate the possibility of implementing an active/active model so that both routers would receive traffic during normal operation, while still maintaining high availability through CARP. <br />
<br />
On the internal network (IntraNought), configuring CARP does not introduce a significant complexity. One router can operate as master and the other as backup. We will configure a first VHID.<br />
<br />
However, on the public network, a constraint exists. Public IP addresses (IPFO) provided by OVH are associated with a specific MAC address. If both routers need to use the same public IP address, they must present the same MAC address.<br />
<br />
By default, the ESXi vSwitch blocks situations where two virtual machines use the same MAC address. This requires enabling specific settings such as Promiscuous Mode, MAC Address Changes and Forged Transmits. It is technically feasible, but this adds complexity and may require network isolation by using a dedicated vSwitch for the routers.<br />
<br />
Finally, even if both routers are active, they run on the same hypervisor. This means the hypervisor is a Single Point of Failure (SPOF). If the physical host fails, both routers would go down at the same time, so the redundancy only exists at the virtual level, not at the hardware level.<br />
<br />
<br />
<br />
'''But at this point, a key question remains: If two VMs share the same MAC address, how does the vSwitch decide which VM should receive the traffic? Could it send the frame to the wrong VM? Or both ?'''<br />
<br />
In our setup, two routers share the same virtual public IP and therefore the same virtual MAC address using CARP. However, only one router is active (the master) at a time.<br />
<br />
When the master sends traffic, the ESXi vSwitch learns the virtual MAC address from the source MAC of the frames it receives. It then associates that MAC address with the master’s port. As a result, any incoming traffic destined for that MAC is forwarded only to the active router.<br />
<br />
The backup router has the same virtual MAC configured, but it does not actively use it while in backup state. It does not respond to ARP requests and does not send traffic using that MAC. Therefore, the vSwitch does not associate the MAC with the backup’s port.<br />
<br />
If a failover occurs, the backup router becomes master and starts sending traffic with the same virtual MAC. The vSwitch detects that the MAC now appears on a different port and updates its table. Traffic is then forwarded to the new master.<br />
<br />
Security settings such as “MAC Address Changes” and “Forged Transmits” must be set to Accept to allow this MAC movement between ports and prevent ESXi from blocking the traffic as a potential MAC spoofing attempt.<br />
<br />
Regarding Promiscuous Mode, VMware documentation states: “Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire.” This means that the filtering normally performed by the virtual network adapter based on the destination MAC address is disabled. As a result, the guest operating system can receive all traffic visible on that VLAN. However, this setting does not modify the forwarding logic of the vSwitch itself. The vSwitch continues to perform standard Layer 2 MAC learning and forwards unicast traffic to a single port at a time. Therefore, even with Promiscuous Mode enabled, the vSwitch does not behave like a hub. Promiscuous mode is mainly used for traffic monitoring or packet sniffing, it is not required in our case.<br />
<br />
Also, VMware documentation explicitly mentions legitimate scenarios where multiple adapters share the same MAC address, such as Microsoft NLB in unicast mode. This confirms that using a shared virtual MAC with CARP is a supported and valid design pattern.<br />
<br />
<br />
<br />
Configuration to enable “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2456Protocol CARP2026-03-09T19:17:11Z<p>Yousra: /* Virtual Mac Address */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the VIP 51.68.252.230 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the master or backup role.<br />
<br />
<br />
<br />
<br />
Linked to {{T|2227}}<br />
<br />
== Distribute traffic ==<br />
<br />
The current infrastructure relies on two distinct networks at the ESXI hypervisor level:<br />
<br />
- An internal network 172.27.27.0/28, referred to as IntraNought, used for internal communication and management.<br />
<br />
- A public network used for public IP addresses exposed to the Internet.<br />
<br />
The objective now is to evaluate the possibility of implementing an active/active model so that both routers would receive traffic during normal operation, while still maintaining high availability through CARP. <br />
<br />
On the internal network (IntraNought), configuring CARP does not introduce a significant complexity. One router can operate as master and the other as backup. We will configure a first VHID.<br />
<br />
However, on the public network, a constraint exists. Public IP addresses (IPFO) provided by OVH are associated with a specific MAC address. If both routers need to use the same public IP address, they must present the same MAC address.<br />
<br />
By default, the ESXi vSwitch blocks situations where two virtual machines use the same MAC address. This requires enabling specific settings such as Promiscuous Mode, MAC Address Changes and Forged Transmits. It is technically feasible, but this adds complexity and may require network isolation by using a dedicated vSwitch for the routers.<br />
<br />
Finally, even if both routers are active, they run on the same hypervisor. This means the hypervisor is a Single Point of Failure (SPOF). If the physical host fails, both routers would go down at the same time, so the redundancy only exists at the virtual level, not at the hardware level.<br />
<br />
<br />
<br />
'''But at this point, a key question remains: If two VMs share the same MAC address, how does the vSwitch decide which VM should receive the traffic? Could it send the frame to the wrong VM? Or both ?'''<br />
<br />
In our setup, two routers share the same virtual public IP and therefore the same virtual MAC address using CARP. However, only one router is active (the master) at a time.<br />
<br />
When the master sends traffic, the ESXi vSwitch learns the virtual MAC address from the source MAC of the frames it receives. It then associates that MAC address with the master’s port. As a result, any incoming traffic destined for that MAC is forwarded only to the active router.<br />
<br />
The backup router has the same virtual MAC configured, but it does not actively use it while in backup state. It does not respond to ARP requests and does not send traffic using that MAC. Therefore, the vSwitch does not associate the MAC with the backup’s port.<br />
<br />
If a failover occurs, the backup router becomes master and starts sending traffic with the same virtual MAC. The vSwitch detects that the MAC now appears on a different port and updates its table. Traffic is then forwarded to the new master.<br />
<br />
Security settings such as “MAC Address Changes” and “Forged Transmits” must be set to Accept to allow this MAC movement between ports and prevent ESXi from blocking the traffic as a potential MAC spoofing attempt.<br />
<br />
Regarding Promiscuous Mode, VMware documentation states: “Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire.” This means that the filtering normally performed by the virtual network adapter based on the destination MAC address is disabled. As a result, the guest operating system can receive all traffic visible on that VLAN. However, this setting does not modify the forwarding logic of the vSwitch itself. The vSwitch continues to perform standard Layer 2 MAC learning and forwards unicast traffic to a single port at a time. Therefore, even with Promiscuous Mode enabled, the vSwitch does not behave like a hub. Promiscuous mode is mainly used for traffic monitoring or packet sniffing, it is not required in our case.<br />
<br />
Also, VMware documentation explicitly mentions legitimate scenarios where multiple adapters share the same MAC address, such as Microsoft NLB in unicast mode. This confirms that using a shared virtual MAC with CARP is a supported and valid design pattern.<br />
<br />
<br />
<br />
Configuration to enable “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2455Protocol CARP2026-03-09T19:16:16Z<p>Yousra: /* Virtual Mac Address */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
We can see here that the virtual mac address associated to the VIP 51.68.252.230 is : 00:00:5e:00:01:02 (02 at the end for vhid2)<br />
<br />
'''command : tcpdump -e -ni vmx1 proto 112'''<br />
[[ File:Virtual-mac.png ]]<br />
<br />
✔ The CARP virtual MAC address is visible.<br />
❌ The virtual IP address (VIP) is not visible as the source.<br />
<br />
In CARP advertisements, the Ethernet source address corresponds to the virtual CARP MAC address derived from the VHID. However, the IP source address is the physical IP address of the router sending the advertisement. The virtual IP address (VIP) is not used as the source IP in these control packets. Instead, the VIP is used for normal traffic between clients and the virtual gateway.<br />
<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the master or backup role.<br />
<br />
<br />
<br />
<br />
Linked to {{T|2227}}<br />
<br />
== Distribute traffic ==<br />
<br />
The current infrastructure relies on two distinct networks at the ESXI hypervisor level:<br />
<br />
- An internal network 172.27.27.0/28, referred to as IntraNought, used for internal communication and management.<br />
<br />
- A public network used for public IP addresses exposed to the Internet.<br />
<br />
The objective now is to evaluate the possibility of implementing an active/active model so that both routers would receive traffic during normal operation, while still maintaining high availability through CARP. <br />
<br />
On the internal network (IntraNought), configuring CARP does not introduce a significant complexity. One router can operate as master and the other as backup. We will configure a first VHID.<br />
<br />
However, on the public network, a constraint exists. Public IP addresses (IPFO) provided by OVH are associated with a specific MAC address. If both routers need to use the same public IP address, they must present the same MAC address.<br />
<br />
By default, the ESXi vSwitch blocks situations where two virtual machines use the same MAC address. This requires enabling specific settings such as Promiscuous Mode, MAC Address Changes and Forged Transmits. It is technically feasible, but this adds complexity and may require network isolation by using a dedicated vSwitch for the routers.<br />
<br />
Finally, even if both routers are active, they run on the same hypervisor. This means the hypervisor is a Single Point of Failure (SPOF). If the physical host fails, both routers would go down at the same time, so the redundancy only exists at the virtual level, not at the hardware level.<br />
<br />
<br />
<br />
'''But at this point, a key question remains: If two VMs share the same MAC address, how does the vSwitch decide which VM should receive the traffic? Could it send the frame to the wrong VM? Or both ?'''<br />
<br />
In our setup, two routers share the same virtual public IP and therefore the same virtual MAC address using CARP. However, only one router is active (the master) at a time.<br />
<br />
When the master sends traffic, the ESXi vSwitch learns the virtual MAC address from the source MAC of the frames it receives. It then associates that MAC address with the master’s port. As a result, any incoming traffic destined for that MAC is forwarded only to the active router.<br />
<br />
The backup router has the same virtual MAC configured, but it does not actively use it while in backup state. It does not respond to ARP requests and does not send traffic using that MAC. Therefore, the vSwitch does not associate the MAC with the backup’s port.<br />
<br />
If a failover occurs, the backup router becomes master and starts sending traffic with the same virtual MAC. The vSwitch detects that the MAC now appears on a different port and updates its table. Traffic is then forwarded to the new master.<br />
<br />
Security settings such as “MAC Address Changes” and “Forged Transmits” must be set to Accept to allow this MAC movement between ports and prevent ESXi from blocking the traffic as a potential MAC spoofing attempt.<br />
<br />
Regarding Promiscuous Mode, VMware documentation states: “Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire.” This means that the filtering normally performed by the virtual network adapter based on the destination MAC address is disabled. As a result, the guest operating system can receive all traffic visible on that VLAN. However, this setting does not modify the forwarding logic of the vSwitch itself. The vSwitch continues to perform standard Layer 2 MAC learning and forwards unicast traffic to a single port at a time. Therefore, even with Promiscuous Mode enabled, the vSwitch does not behave like a hub. Promiscuous mode is mainly used for traffic monitoring or packet sniffing, it is not required in our case.<br />
<br />
Also, VMware documentation explicitly mentions legitimate scenarios where multiple adapters share the same MAC address, such as Microsoft NLB in unicast mode. This confirms that using a shared virtual MAC with CARP is a supported and valid design pattern.<br />
<br />
<br />
<br />
Configuration to enable “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousrahttps://agora.nasqueron.org/index.php?title=File:Virtual-mac.png&diff=2454File:Virtual-mac.png2026-03-09T17:38:58Z<p>Yousra: </p>
<hr />
<div></div>Yousrahttps://agora.nasqueron.org/index.php?title=Protocol_CARP&diff=2453Protocol CARP2026-03-09T17:26:46Z<p>Yousra: /* Basic configuration */</p>
<hr />
<div>== Introduction and history ==<br />
<br />
« CARP stands for Common Address Redundancy Protocol and its basic functionality is to allow multiple hosts to share a set of IP addresses ».<br />
<br />
CARP was developed by the OpenBSD project in 2003 as an alternative to VRRP due to patent concerns related to Cisco's HSRP technology. To avoid potential legal issues and remain compatible with open-source principles, OpenBSD implemented its own redundancy protocol with added cryptographic features. CARP was later adopted by other systems such as FreeBSD and NetBSD. A userland implementation of CARP, named ucarp, made the protocol usable on Linux without requiring kernel integration.<br />
<br />
These patent concerns originated from the development of VRRP by the Internet Engineering Task Force (IETF). Indeed, when the Internet Engineering Task Force (IETF) developed the Virtual Router Redundancy Protocol (VRRP), Cisco Systems indicated that it owned patents related to router redundancy mechanisms used in the protocol Hot Standby Router Protocol (HSRP). This created a legal risk for developers, particularly for open-source projects that wanted to implement VRRP freely.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master host and backup hosts ==<br />
<br />
CARP creates a redundancy group, meaning several hosts are configured to share a virtual IP address. However, at any given time, only one host uses the shared IP address. This host is called the Master host and it receives and handles all traffic destined to that virtual IP.<br />
<br />
When the Master host becomes unavailable (it crashed, turned off, or lost its network connection), the other hosts in the same redundancy group detect the failure. Immediately, one of the Backup hosts is elected as the new Master host. That means that it will take over the shared IP address.<br />
<br />
This switch happens automatically, ensuring service continuity without clients noticing any interruption.<br />
<br />
[[File:Schema redondance routeurs.png]]<br />
<br />
Sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
== CARP advertisements ==<br />
<br />
- The Master host periodically broadcasts CARP advertisements to the backup hosts.<br />
<br />
- The Backup hosts listen but do not send any packets.<br />
<br />
<br />
'''Each CARP advertisement contains :''' <br />
<br />
1. The CARP version and packet type (CARP Header).<br />
<br />
2. The VHID (Virtual Host ID), which identifies the redundancy group (CARP Header).<br />
<br />
3. The advertisement parameters (advbase and advskew), which determine the host’s priority CARP (CARP Header).<br />
<br />
4. The counter<br />
<br />
5. The signature in SHA-1<br />
<br />
<br />
'''CARP Advertisement Packet Format :'''<br />
<br />
Each line represent 32 bits, 4 bytes<br />
<br />
Length : 36 bytes<br />
<br />
<pre><br />
/*<br />
* The CARP header layout is as follows:<br />
*<br />
* 0 1 2 3<br />
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* |Version| Type | VirtualHostID | AdvSkew | Auth Len |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Demotion | AdvBase | Checksum |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | Counter (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (1) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (2) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (3) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (4) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
* | SHA-1 HMAC (5) |<br />
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />
*<br />
*/<br />
</pre><br />
<br />
<br />
'''commande : tcpdump -i <interface> proto 112'''<br />
<br />
[[ File:Carp-advertissement.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://github.com/openbsd/src/blob/master/sys/netinet/ip_carp.h<br />
<br />
== Cryptography ==<br />
<br />
'''All CARP advertisements are cryptographically signed :'''<br />
<br />
Steps : <br />
<br />
1. The Master host creates an advertisement.<br />
<br />
2. It calculates a cryptographic signature, a SHA-1 hash using:<br />
<br />
* the shared secret,<br />
<br />
* the VHID,<br />
<br />
* the virtual IP address,<br />
<br />
* the advertisement parameters (advbase and advskew),<br />
<br />
* the counter<br />
<br />
* and other header fields.<br />
<br />
3. It then sends the signed advertisement.<br />
<br />
4. The Backup hosts receives the signed advertisement.<br />
<br />
5. Each Backup host recalculates the signature using the same shared secret : <br />
<br />
- If the calculated signature matches the received signature → the packet is considered valid because authentication and integrity are insured.<br />
<br />
- If it does not match → the packet is rejected.<br />
<br />
It protects against spoofing attacks : without cryptographic authentication, an attacker could send fake CARP advertisements and attempt to pretend to be or to become the Master host.<br />
<br />
<br />
'''command : tcpdump -X -ni <interface> proto 112'''<br />
<br />
We can observe the complete packet in the capture. Each hexadecimal value represents two bytes. The first 20 bytes correspond to the IP header, while the last 20 bytes correspond to the SHA-1 authentication hash included in the CARP advertisement.<br />
<br />
[[ File:Sha1-signature.png ]]<br />
<br />
Sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://www.giac.org/paper/gsec/4031/carp-free-fail-over-protocol/106433<br />
<br />
== IP protocol number ==<br />
<br />
CARP uses the same IP protocol number as VRRP (112). As a result, packet capture tools such as tcpdump interpret CARP packets as VRRP advertisements like we see above, even though the packets actually belong to the CARP protocol.<br />
<br />
Why ??<br />
The OpenBSD developers initially requested unique identifiers from the Internet Assigned Numbers Authority (IANA), but the request was denied because they had not followed the IETF standardization process. As a result, they chose to use protocol number 112, which was already assigned to VRRP. Despite this overlap, VRRP and CARP can coexist on the same network as long as their identifiers (VRRP group ID and CARP VHID) are different.<br />
<br />
Sources : <br />
<br />
https://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol<br />
<br />
== Multiple VHID : Distribute traffic ==<br />
<br />
Using multiple VHIDs in CARP allows several virtual IP addresses to be managed separately. This means different hosts can be Master for different services. For example, one host can manage the web service, while another manages the DNS service. Thanks to this, the hosts can be used efficiently while still ensuring high availability. It would not be practical to use a machine only when the other machine is not responding.<br />
<br />
sources : <br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Split-brain ==<br />
<br />
Normally:<br />
* one Master<br />
<br />
* one or several Backups<br />
<br />
If the Master host stops sending advertisements, the Backup hosts know that the master is no longer reachable. However, a problem can occur if the Backup hosts stop receiving each other's advertisements because the link between them is broken. In that case, each node may assume it is the Master.<br />
<br />
When communication is restored, CARP resolves the problem:<br />
<br />
1. The Masters can see each other<br />
2. The real Master send the packet<br />
3. The hosts compare CARP priority<br />
4. The hosts with lower priority automatically switch back to Backup<br />
<br />
sources :<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
== Master Election Process ==<br />
<br />
1. All hosts start<br />
<br />
All hosts begin in BACKUP state.<br />
<br />
2. Each host starts a timer<br />
<br />
* The delay depends on the CARP priority (advskew).<br />
<br />
* The lower the advskew, the shorter the delay.<br />
<br />
* The lower the advskew, the higher the priority.<br />
<br />
3. The higher-priority host’s timer expires first<br />
<br />
That host sends CARP advertisements when the timer expires.<br />
<br />
It assigns the virtual IP (VIP) to its interface.<br />
<br />
It becomes the MASTER host.<br />
<br />
4. The other hosts receive the advertisement<br />
<br />
They detect that a higher-priority host is active.<br />
<br />
They remain in BACKUP state.<br />
<br />
They do not send CARP advertisements.<br />
<br />
<br />
In CARP, we usually choose the preferred Master by giving it a higher priority (lower advskew).<br />
<br />
== Virtual Mac Address ==<br />
<br />
The protocol automatically generates a virtual MAC address based on the VHID, ending with the VHID's value (00:00:5e:00:01:XX). This MAC address is identical on both hosts and is used by the MASTER node.<br />
<br />
sources : <br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html<br />
<br />
== Basic configuration ==<br />
<br />
We want : <br />
<br />
router-002 to act as the master, while router-003 should operate as the backup for Intranought network.<br />
<br />
router-003 to act as the master, while router-002 should operate as the backup for Public network.<br />
<br />
<br />
1) Enable CARP Support<br />
<br />
On the file ''/boot/loader.conf'', you need to add : '''carp_load="YES"'''<br />
<br />
<br />
You are telling FreeBSD:<br />
<br />
“Load the CARP kernel module automatically at boot time.”<br />
<br />
If you want to load it now, but not permanently : '''kldload carp'''<br />
<br />
<br />
If someone has build a custom FreeBSD kernel, they can include CARP directly by adding this line to the kernel configuration file: '''device carp'''<br />
<br />
<br />
2) CARP configuration<br />
<br />
In each router, on the new appropriate file '''/etc/rc.conf.d/netif/carp''', we will have the CARP configuration <br />
<br />
router-002 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 0 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 100 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
<br />
router-003 : <br />
<br />
ifconfig_vmx0_alias0="inet vhid 1 advskew 100 pass xxxxxxx alias 172.27.27.13/27"<br />
<br />
ifconfig_vmx1_alias0="inet vhid 2 advskew 0 pass xxxxxxx alias 51.68.252.230/32"<br />
<br />
<br />
So we gave a lower advskew (default is 0) to become the master router.<br />
<br />
<br />
In older versions of FreeBSD (9 and earlier), CARP required creating a separate virtual interface such as carp0, and the shared IP address was attached to that interface. Starting with FreeBSD 10, this was simplified. CARP can now be configured directly on the physical interface using an alias with a VHID. The newer method is easier to configure and maintain, so it is recommended to use it in modern versions of FreeBSD.<br />
<br />
commands : <br />
<br />
ifconfig carp0 create<br />
ifconfig carp0 vhid 1 pass xxxxxx<br />
ifconfig carp0 inet 172.27.27.X/28'''<br />
<br />
sources : <br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
== Automatic blue/green deployment ==<br />
<br />
In this context, “automatic Blue-Green” does not refer to a traditional application deployment strategy. Instead, it describes a network-level behavior enabled by CARP.<br />
<br />
With CARP, two routers are deployed in parallel:<br />
<br />
- One acts as the active router (MASTER)<br />
<br />
- The other remains in standby (BACKUP)<br />
<br />
Both routers are fully operational and connected to the network. Traffic is sent to a shared virtual IP address. At any given time, only the MASTER processes the traffic. However, if the MASTER fails, the BACKUP automatically takes over the virtual IP address without manual intervention.<br />
<br />
This behavior resembles Blue-Green deployment because:<br />
<br />
1. Two environments exist simultaneously<br />
<br />
2. Only one actively handles traffic<br />
<br />
3. Traffic can switch from one to the other<br />
<br />
4. The switch is transparent to users<br />
<br />
The difference is that in traditional Blue-Green deployment, the switch is usually performed manually during an update. With CARP, the switch happens automatically in case of failure.<br />
<br />
== Priority vs advskew. ==<br />
<br />
In the CARP protocol, the master router is not directly determined by priority, but rather by a value called advskew. Advskew is a numerical parameter between 0 and 255: the lower its value, the more likely the router is to become the master. Priority, on the other hand, is a more intuitive abstraction used in automation tools or logical configurations: the higher the priority, the higher the router's expected priority. To link the two, we use the formula: advskew = 255 − priority. Thus, a router with a priority of 200 will have a low advskew (55) and will become the master, while a router with a priority of 0 will have a maximum advskew (255) and will remain in backup mode. In short, priority is a value that is easily understood and logical for humans, while advskew is the value actually used by CARP's internal mechanism to determine the master or backup role.<br />
<br />
<br />
<br />
<br />
Linked to {{T|2227}}<br />
<br />
== Distribute traffic ==<br />
<br />
The current infrastructure relies on two distinct networks at the ESXI hypervisor level:<br />
<br />
- An internal network 172.27.27.0/28, referred to as IntraNought, used for internal communication and management.<br />
<br />
- A public network used for public IP addresses exposed to the Internet.<br />
<br />
The objective now is to evaluate the possibility of implementing an active/active model so that both routers would receive traffic during normal operation, while still maintaining high availability through CARP. <br />
<br />
On the internal network (IntraNought), configuring CARP does not introduce a significant complexity. One router can operate as master and the other as backup. We will configure a first VHID.<br />
<br />
However, on the public network, a constraint exists. Public IP addresses (IPFO) provided by OVH are associated with a specific MAC address. If both routers need to use the same public IP address, they must present the same MAC address.<br />
<br />
By default, the ESXi vSwitch blocks situations where two virtual machines use the same MAC address. This requires enabling specific settings such as Promiscuous Mode, MAC Address Changes and Forged Transmits. It is technically feasible, but this adds complexity and may require network isolation by using a dedicated vSwitch for the routers.<br />
<br />
Finally, even if both routers are active, they run on the same hypervisor. This means the hypervisor is a Single Point of Failure (SPOF). If the physical host fails, both routers would go down at the same time, so the redundancy only exists at the virtual level, not at the hardware level.<br />
<br />
<br />
<br />
'''But at this point, a key question remains: If two VMs share the same MAC address, how does the vSwitch decide which VM should receive the traffic? Could it send the frame to the wrong VM? Or both ?'''<br />
<br />
In our setup, two routers share the same virtual public IP and therefore the same virtual MAC address using CARP. However, only one router is active (the master) at a time.<br />
<br />
When the master sends traffic, the ESXi vSwitch learns the virtual MAC address from the source MAC of the frames it receives. It then associates that MAC address with the master’s port. As a result, any incoming traffic destined for that MAC is forwarded only to the active router.<br />
<br />
The backup router has the same virtual MAC configured, but it does not actively use it while in backup state. It does not respond to ARP requests and does not send traffic using that MAC. Therefore, the vSwitch does not associate the MAC with the backup’s port.<br />
<br />
If a failover occurs, the backup router becomes master and starts sending traffic with the same virtual MAC. The vSwitch detects that the MAC now appears on a different port and updates its table. Traffic is then forwarded to the new master.<br />
<br />
Security settings such as “MAC Address Changes” and “Forged Transmits” must be set to Accept to allow this MAC movement between ports and prevent ESXi from blocking the traffic as a potential MAC spoofing attempt.<br />
<br />
Regarding Promiscuous Mode, VMware documentation states: “Promiscuous mode eliminates any reception filtering that the virtual machine adapter performs so that the guest operating system receives all traffic observed on the wire.” This means that the filtering normally performed by the virtual network adapter based on the destination MAC address is disabled. As a result, the guest operating system can receive all traffic visible on that VLAN. However, this setting does not modify the forwarding logic of the vSwitch itself. The vSwitch continues to perform standard Layer 2 MAC learning and forwards unicast traffic to a single port at a time. Therefore, even with Promiscuous Mode enabled, the vSwitch does not behave like a hub. Promiscuous mode is mainly used for traffic monitoring or packet sniffing, it is not required in our case.<br />
<br />
Also, VMware documentation explicitly mentions legitimate scenarios where multiple adapters share the same MAC address, such as Microsoft NLB in unicast mode. This confirms that using a shared virtual MAC with CARP is a supported and valid design pattern.<br />
<br />
<br />
<br />
Configuration to enable “MAC Address Changes” and “Forged Transmits” : <br />
<br />
https://knowledge.broadcom.com/external/article/324520/configuring-promiscuous-mode-on-a-virtua.html<br />
Source documentation: <br />
<br />
https://wxcafe.net/posts/redondance-routeurs-openbsd-freebsd/<br />
<br />
https://freebsdfoundation.org/wp-content/uploads/2022/11/zaborski_CARP.pdf<br />
<br />
https://docs-archive.freebsd.org/doc/11.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/carp.html<br />
<br />
https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security/securing-vsphere-networking/securing-vsphere-standard-switches.html<br />
<br />
https://dynfi.com/documentations/dynfi-firewall/configuration_firewall_VIP.html</div>Yousra