Common Address Redundancy Protocol

The Common Address Redundancy Protocol ( CARP ) is a network protocol that can be used to enable the availability of IP systems increase. This is achieved in that a plurality of computers can use the same virtual IP / MAC addresses to communicate with other systems on a local network. The main use of CARP is to create highly available gateway ( router / firewall); with CARP but can be made highly available application server. In the Internet protocol suite, it is the protocol number 112

CARP was developed by the OpenBSD team. The development was necessary because it ( patent law ) is not possible to use as part of an open source project VRRP. This made it necessary to write a custom protocol. In addition, as were fundamental errors of VRRP and HSRP are avoided. The first version of OpenBSD, was integrated in the CARP, was version 3.5.

Meanwhile, CARP has been ported to other platforms. A free userland port is ucarp (currently available for Linux 2.4/2.6, OpenBSD and NetBSD ). For DragonFly BSD, FreeBSD and NetBSD kernel implementations.

Demarcation to VRRP

The basic task and CARP is similar to VRRP. But there are some fundamental differences:

  • The most important advantage of CARP is that it, unlike VRRP can be used by anyone free of patents.
  • A fundamental difference to VRRP is the protokollunabhänge operation of CARP. Thus, CARP is available for both IPv4 and IPv6.
  • It was also placed great emphasis on safety in the development of CARP, such as the exchanged messages between the cluster computers are in principle cryptographically signed using SHA -1 or HMAC.
  • CARP uses a feature called arpbalance. In this case, all computers use the same virtual IP address, but each computer still gets its own virtual MAC address. This load sharing between the computers is possible. This feature currently only works in OpenBSD userland CARP ( ucarp ) does not implement this feature for other platforms, such as Linux so far.

Operation

To use CARP, you need at least two systems that perform the same task and are in the same subnet. These systems each have a unique IP and MAC address, and form a cluster. In addition, this cluster virtual IP and MAC address is assigned now. This virtual IP / MAC cluster communicate with other systems. For this to work, a cluster computer master and the other slaves, the master is responsible for communication with the outside world. About the CARP protocol, each member of the cluster ensures that the other machines are still working. If the master fails, the slaves of the both the virtual MAC address and the virtual IP address.

CARP is particularly interesting in the context of highly available firewalls. It is also necessary to synchronize the state tables, in order to prevent losses of connections upon failure of the active cluster computer. When combining OpenBSD / pf is used pfsync for this under Linux / Netfilter this function is implemented with conntrackd.

Virtual Router Redundancy Protocol Hot Standby Router Protocol Secure Hash Algorithm PF (firewall)
198717
de