[gentoo-user] Gentoo router redundancy via Ucarp?

[gentoo-user] Gentoo router redundancy via Ucarp?

[James]

Hello,

I'm still hacking at my first Linux firewall. I decided to build
in redundancy, via CARP which replaces the cisco protocol VRRP.
I like to develop 2 versions:
A. 2 redundant routers on one cable modem(static IP) drop.
B. 2 redundant router each with a different network/circuit
to the internet.

'UCARP' is in portage, and I was wondering:

1. Has anyone used 'ucarp' with iptables, willing to share configs?

2. How do you get your ethernet cards to reply to arp/mac requests
with the same MAC address? A pci based ethernet card with programmable
MAC address would be keen. If one does not exist, I'm quite tempted 
to do the layout, and develop the firmware (not a big deal).
Suggestions as to which chips to use, so as to be able to use
an existing driver from a 10/100 card (realtek?) would be keen.

3.  Is it stable? Comments?

4. Have you implemented QOS semanitics with UCARP on Gentoo, and
would you be willing to share information?

5. Since my cable access provider scans MAC address and locks up
my cable box(therefore I have to shut if off for 5 minutes upon
changing the MAC address of my router) if different MACs are used,
do you have a workaround for this?

6. If I implement UCARP on a  network with 2 different wiring/circuits
that support static TCP/IPs (cable modem and wireless T-mobile) how
do I setup external routing to use both pipes, without BGP-4?

7. When I'm finished what's the best method to test the robustness
of the router configuration, against security attacks? i.e.
a friendly penetration test volunteer?


James

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Gentoo router redundancy via Ucarp?

[Mike Williams]

On Sunday 04 September 2005 21:08, James wrote:
> 1.

Not used it, sorry.
>From what I know of it, with Linux it's not that great (iptables doesn't have 
a pfsync function like OpenBSD to keep state tables across machines)

> 2.

Linux can change the MAC address, I believe it'll work on pretty much 
anything.
Otherwise send an arping to update neighbouring routers. I do this on a manual 
failover pair behind a datacentres routers.

> 3.

ha/heartbeat is, and ha/heartbeat will do what you require.

> 4.

Nope, but with either ucarp or ha, putting the QOS rules in the appropriate 
scripts will get them run on each host as it takes over.

> 5.

Same MACs

> 6.

http://lartc.org/howto/lartc.rpdb.multiple-links.html

> 7.

iptables config? nmap, or nessus it from a remote location perhaps?

-- 
Mike Williams

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Gentoo router redundancy via Ucarp?

[kashani]

James wrote:
> Hello,
> 
> I'm still hacking at my first Linux firewall. I decided to build
> in redundancy, via CARP which replaces the cisco protocol VRRP.
> I like to develop 2 versions:

This email primary covers the routing issues you're going to see.

For the record the Cisco equivalent of VRRP is HSRP. Here's a little bit 
of history if you're interested.
http://tcpmag.com/qanda/article.asp?EditorialsID=306

This link might be interesting if you decide to look into VRRP which you 
can run on Linux.
http://siag.nu/pen/vrrpd-linux.shtml

> A. 2 redundant routers on one cable modem(static IP) drop.
> B. 2 redundant router each with a different network/circuit
> to the internet.
> 
> 'UCARP' is in portage, and I was wondering:
> 
> 1. Has anyone used 'ucarp' with iptables, willing to share configs?
> 
> 2. How do you get your ethernet cards to reply to arp/mac requests
> with the same MAC address? A pci based ethernet card with programmable
> MAC address would be keen. If one does not exist, I'm quite tempted 
> to do the layout, and develop the firmware (not a big deal).
> Suggestions as to which chips to use, so as to be able to use
> an existing driver from a 10/100 card (realtek?) would be keen.

	Any reasonable implementation should not be this complicated. In HSRP, 
I can't speak for ucarp, your real network interfaces have their 
hardware designated MAC addresses. When the virtual interface is created 
a new MAC address is generated and assigned to that IP only. This way 
the virtual IP and MAC can move easily between machines regardless of 
the MAC address of the real interfaces. I'd imagine that any VRRP-ish 
type system would do something similar.

	Getting into some black magic, IIRC and the details are pretty hazy, a 
state change in VRRP/HSRP would cause a gratuitous arp so that the 
switch could see that the MAC address had moved to another port. Some 
switches or firmware versions wouldn't respond correctly so traffic 
continued to the old port until arp times out or was manually cleared. 
Just something to watch out for if you're using low end gear... and even 
some high end gear has at times flubbed this.

> 5. Since my cable access provider scans MAC address and locks up
> my cable box(therefore I have to shut if off for 5 minutes upon
> changing the MAC address of my router) if different MACs are used,
> do you have a workaround for this?

	If you can get the cable modem to play nicely with the virtual IP and 
virtual MAC it should work. That might be fairly difficult if you're 
using DHCP.

> 6. If I implement UCARP on a  network with 2 different wiring/circuits
> that support static TCP/IPs (cable modem and wireless T-mobile) how
> do I setup external routing to use both pipes, without BGP-4?

	Is this a "for fun" project or a "if it breaks it'll cost me real 
money" project? If it's for fun go nuts, but if this is a convoluted 
plan to get some sort of real redundancy you're probably going to be 
disappointed.

	Here's the rub, load balancing outbound traffic is easy. Turn on 
advanced routing in your kernel, recompile, reboot, add your two default 
gateways and you're now using both connections. IIRC Linux does per 
connection load sharing, not per packet so a single TCP stream can not 
use the aggregate connection speed of both pipes.

	However load balancing incoming traffic is hard even with BGP. I'd be 
very surprised if either of your ISP's let you run BGP with them other 
than announcing a default 0.0.0.0/0 route to you via a private AS 
number. Assuming you even get that far I'm positive that their filters 
are going to swallow any route announcement specific enough to modify 
your traffic. Without BGP you have no redundancy for incoming traffic. 
Here's an example.

These are your static IP's
cable 20.20.12.24
tmob 40.40.24.48

	If I'm connected to the tmob IP and that connection goes down nothing 
you can do will send me to the other IP. I'd have to reconnect and hope 
round robin DNS might send me to the other IP this time. You could play 
DNS games, but the failover time for all clients is going to be pretty long.

	Going back to your original question, you can run two routers on a 
single connection and that should work reasonably well though be limited 
in the redundancy it can give you. Running two connections however is 
more problematic and may not be worth the trouble if you're trying to 
provide transparent failover for incoming connections.

	I can break this down into better examples if anything doesn't make 
sense. I don't know how much you know about routing and this could have 
easily grown into four or five pages giving all the background info.

kashani
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Gentoo router redundancy via Ucarp?

[James]

kashani <kashani-list <at> badapple.net> writes:

> 	Here's the rub, load balancing outbound traffic is easy. Turn on 
> advanced routing in your kernel, recompile, reboot, add your two default 
> gateways and you're now using both connections. IIRC Linux does per 
> connection load sharing, not per packet so a single TCP stream can not 
> use the aggregate connection speed of both pipes.

Well, I have not been active is complex routing solutions, lately, 
hence the inquiry as to available multi-homed solutions circa BGP.

> 	However load balancing incoming traffic is hard even with BGP. I'd be 
> very surprised if either of your ISP's let you run BGP with them other 
> than announcing a default 0.0.0.0/0 route to you via a private AS 
> number. Assuming you even get that far I'm positive that their filters 
> are going to swallow any route announcement specific enough to modify 
> your traffic. Without BGP you have no redundancy for incoming traffic. 
> Here's an example.

So BGP-4 is still the only solution to multi-homed networks.....?
Here's one treatise on the subject: 
http://www.ietf.org/internet-drafts/draft-nagami-mip6-nemo
-multihome-fixed-network-03.txt 

Thanks for your input.

James


-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Gentoo router redundancy via Ucarp?

[James]

Mike Williams <mike <at> gaima.co.uk> writes:
 September 2005 21:08, James wrote:

> > 6.

> http://lartc.org/howto/lartc.rpdb.multiple-links.html

Nice link!
I'm sure I'll use a modified version of something like this.

> > 7.

> iptables config? nmap, or nessus it from a remote location perhaps?

Yea, I put a system on just to the inside of the cable modem, and
run various tools against the firewall. I was fishing for some
new/fresh ideas..... or a talented hack with a bad attitude.


James


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Gentoo router redundancy via Ucarp?

[kashani]

James wrote:
> So BGP-4 is still the only solution to multi-homed networks.....? 
> Here's one treatise on the subject: 
> http://www.ietf.org/internet-drafts/draft-nagami-mip6-nemo-multihome-fixed-network-03.txt


BGP is really your only option, but your providers are not going to give 
you the option. Let say we actually get bgp setup and it looks like this.

your router

int fe0/0
description comcast
ip address 24.24.24.124/24

int fe1/0
description tmobile
ip address 64.64.64.164/24

router bgp 65555
network 24.24.24.124/32
network 64.64.64.164/32
neighbor 24.24.24.1 remote-as $comcast-as#
neighbot 64.64.64.1 remote-as $tmobile

So at this point you're announcing to 24.24.24.124/32 and 
64.64.64.164/32 to both providers. They accept these routes and also 
announce 0.0.0.0/0 back to your. Your route table will look like this

CON 24.24.24.124/24 [1/4] is directly connected
CON 64.64.64.164/24 [2/4} is directly connected
BGP 0.0.0.0/0 [3/4] via 24.24.24.1
BGP 0.0.0.0/0 [4/4] via 64.64.64.1

If int fe0/0 fails that BGP session will drop and that route will be 
withdrawn from the routing table. That the basic way BGP works for a 
multi-homed system.

So far so good. However your providers will not announce the /32 routes 
you are announcing to them to their peers. Ever. Because those routes 
are too small and the memory requiremets to do that aren't feasible. 
These days with massive filter you can get a full BGP table down to 
140-160k routes. If you allowed routes more specific than a /24 to be 
announced we'd see a million plus routes and the internet would start 
breaking. You could say pay your providers enough and they might 
actually announce the /32 routes, but their peers would filter anything 
smaller than a /24 route and some peers have been known to filter 
anything smaller than /22.

I want to connect to 24.24.24.124 from my DSL account. The routers 
between us route my packet to you via the comcast route because BGP on 
those routers says "24.24.0.0/16 --> Comcast". I never see a 
"24.24.24.124 --> Comcast or Tmobile" so when Comcast goes down I can't 
get to you through tmobile because there is no route for that in the 
routing tables.

This is why most important server go to a data center. The data center 
has a nice big chunk of IP space say 209.247.4.0/22 which they can 
announce to their multiple providers who is turn pass the route on to 
the their peers. So the route table might look like this:

my DSL -> Level 3 -> XO -> datacenter
my DSL -> PSI -> MCI -> datacenter
and so on.

If this is something you're interested in learning more about the most 
useful book I found back in my Wan Engineer days was Internet Routing 
Architectures by Sam Halabi and Danny McPherson. It's a bit Cisco 
centric, but very readable and has a number of good real world examples.

kashani
-- 
gentoo-user@gentoo.org mailing list