Re: carp: send only IPv4 carp packets on dual stack interface

[chrisz]

On Wed, Jan 15, 2020 at 12:47:28PM +0100, Sebastian Benoit wrote:
Christopher Zimmermann(chr...@openbsd.org) on 2020.01.15 11:55:43 +0100:
Hi,
as far as I can see a dual stack carp interface does not care whether it
receives advertisements addressed to IPv4 or IPv6. Any one will do.
So I propose to send IPv6 advertisements only when IPv4 is not possible.

Why?

- Noise can be reduced by using unicast advertisements.
  This is only possible for IPv4 by ``ifconfig carppeer``.
  I don't like flooding the whole network with carp advertisements when
  I may also unicast them.

Maybe i'm getting confused, but in the problem description you were talking
about v6 vs v4, and here you argue about unicast (vs multicast?) being
better. Thats orthogonal, isnt it?

Yes, kind of. The point is we support ``carppeer`` for IPv4, but not for 
IPv6.

- breaking IPv6 connectivity (for example by running iked without -6)
  will start a preempt-war, because failing ip6_output will cause the
  demote counter to be increased. That's what hit me.

But the whole point of carp is to notice broken connectivity. If you run v6
on an interface, you want to know if its working, no?

I grant you that much. But what kind of failures do you hope to detect 
on the _sending_ carp master, that would not also affect the backup?

At the very least, this needs some more thought and testing in all the ways
carp can be configured.

Anyway, my main concern indeed is the broadcast noise generated by carp 
and I would be equally happy if we had a ``carppeer6`` option. Would 
that be considered?

I would suggest a change like this:

Index: ip_carp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_carp.c,v
retrieving revision 1.342
diff -u -p -r1.342 ip_carp.c
--- ip_carp.c   8 Nov 2019 07:51:41 -0000       1.342
+++ ip_carp.c   15 Jan 2020 10:45:56 -0000
@@ -1175,7 +1175,7 @@ carp_send_ad(struct carp_vhost_entry *vh
                }
        }
 #ifdef INET6
-       if (sc->sc_naddrs6) {
+       else if (sc->sc_naddrs6) {
                struct ip6_hdr *ip6;

                MGETHDR(m, M_DONTWAIT, MT_HEADER);


one could also use a slightly smaller hammer and only avoid sending IPv6
if the user requested an IPv4 unicast address:

-       if (sc->sc_naddrs6) {
+       if (sc->sc_naddrs6 &&
+           (! sc->sc_naddrs ||
+           sc->sc_peer.s_addr == INADDR_CARP_GROUP) ) {


Christopher

--
http://gmerlin.de
OpenPGP: http://gmerlin.de/christopher.pub
CB07 DA40 B0B6 571D 35E2  0DEF 87E2 92A7 13E5 DEE1