RFC question

From VRRP-owner@drcoffsite.com Tue Jul 3 04:15:07 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id EAA13437 for ; Tue, 3 Jul 2001 04:15:03 -0400 (EDT) Received: from apollo.nbase.co.il [194.90.137.2] by drcoffsite.com with ESMTP (SMTPD32-5.05) id A9D353920192; Tue, 03 Jul 2001 03:52:51 -0400 Received: from nbase.co.il ([194.90.139.20]) by apollo.nbase.co.il (Post.Office MTA v3.1.2 release (PO205-101c) ID# 0-44418U200L2S100) with ESMTP id AAA148; Tue, 3 Jul 2001 10:51:53 +0200 X-Sender: yaron@nbase.co.il (Yaron Presente) Message-ID: <3B4179A6.BD272C00@nbase.co.il> Date: Tue, 03 Jul 2001 10:52:06 +0300 From: Yaron Presente Organization: optical access X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.17arp i686) X-Accept-Language: en MIME-Version: 1.0 To: vivek@pluris.com, hunt@IPRG.nokia.com CC: vrrp@drcoffsite.com Subject: Re: why Virtual IP addresses and not Virtual IP subnets References: <200106281631.JAA01343@rebempire.iprg.nokia.com> Content-Type: multipart/alternative; boundary="------------DF1C09E607338D3B720BCC1A" Precedence: bulk Sender: VRRP-owner@drcoffsite.com --------------DF1C09E607338D3B720BCC1A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, Thanks for the answers. However, I still have some concerns. Peter Hunt wrote: > The router backing up the virtual address has its own "real" address > configured in that subnet. When the master fails, the backup VRRP > router installs the virtual address as an additional address in that > subnet. So it doesn't need to know the mask length of the network as > part of VRRP; it already knows it because it has its own address > configured in that subnet. > Peter. I couldn't find in the RFC where it says or implies that a backup router should have a real address for every IP address that it backs up. Vivek Menezes wrote: > There is no requirement for subnet because the Master only represents the IP > address > to Mac address mapping. It is supposed to route all packets destined to the > mac address. > Vivek. TRUE. Here my problem is more related to the implementation side. I know that VRRP only gives solution to a default gateway failure, that is for traffic generated by hosts in an upstream direction. However, I think that it is reasonable to assume that at least in a symmetric topology, downstream traffic would also have to be routed by this backup router. in order to do this, the router has to know (and advertise) his local IP subnets, and the IP <=> Mac mapping is not enough to make the necessary routing decisions. Thanks, Yaron --------------DF1C09E607338D3B720BCC1A Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit
Hi,
Thanks for the answers. However, I still have some concerns.
Peter Hunt wrote:

> The router backing up the virtual address has its own "real" address
> configured in that subnet. When the master fails, the backup VRRP
> router installs the virtual address as an additional address in that
> subnet. So it doesn't need to know the mask length of the network as
> part of VRRP; it already knows it because it has its own address
> configured in that subnet.

> Peter.

I couldn't find in the RFC where it says or implies 
that a backup router should have a real address for
every IP address that it backs up.

Vivek Menezes wrote:
> There is no requirement for subnet because the Master only represents the IP
> address
> to Mac address mapping. It is supposed to route all packets destined to the
> mac address.

> Vivek.

TRUE. Here my problem is more related to the implementation side.
I know that VRRP only gives solution to a default gateway failure,
that is for traffic generated by hosts in an upstream direction.
However, I think that it is reasonable to assume that at least in
a symmetric topology, downstream traffic would also have to be routed
by this backup router. in order to do this, the router has to know 
(and advertise) his local IP subnets, and the IP <=> Mac mapping is
not enough to make the necessary routing decisions.
Thanks,
Yaron

--------------DF1C09E607338D3B720BCC1A-- From VRRP-owner@drcoffsite.com Mon Jul 16 09:51:45 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA11478 for ; Mon, 16 Jul 2001 09:51:40 -0400 (EDT) Received: from ctron-dnm.ctron.com [12.25.1.120] by drcoffsite.com with ESMTP (SMTPD32-5.05) id AC5E7B60270; Mon, 16 Jul 2001 09:30:06 -0400 Received: (from uucp@localhost) by ctron-dnm.ctron.com (8.8.7/8.8.7) id JAA09916 for ; Mon, 16 Jul 2001 09:40:12 -0400 (EDT) Received: from unknown(134.141.77.96) by ctron-dnm.ctron.com via smap (4.1) id xma009874; Mon, 16 Jul 01 09:39:46 -0400 Received: by cnc-exc1.ctron.com with Internet Mail Service (5.5.2653.19) id ; Mon, 16 Jul 2001 09:32:24 -0400 Message-ID: <59358A738F45D51186A30008C74CE25002D631@slc-exc1.ctron.com> From: "Pace, Aaron" To: "'vrrp@drcoffsite.com'" Subject: RFC question Date: Mon, 16 Jul 2001 09:32:15 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C10DFB.BA7D70E0" Precedence: bulk Sender: VRRP-owner@drcoffsite.com This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C10DFB.BA7D70E0 Content-Type: text/plain; charset="windows-1255" Hello all, In the RFC, page 17, it is stated that the VRRP router, while in master state, MUST NOT accept packets addressed to the IP address(es) associated with the virtual router if it is not the IP address owner. Was there a specific foreseen problem that prompted this limitation? Any input would be much appreciated. Thanks, Aaron Pace ------_=_NextPart_001_01C10DFB.BA7D70E0 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable RFC question

Hello all,

In the RFC, page 17, it is stated that the VRRP = router, while in master state, MUST NOT accept packets addressed to the = IP address(es) associated with the virtual router if it is not the IP = address owner. Was there a specific foreseen problem that = prompted this limitation? Any input would be much = appreciated.

Thanks,
Aaron Pace

------_=_NextPart_001_01C10DFB.BA7D70E0-- From VRRP-owner@drcoffsite.com Mon Jul 16 10:17:18 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA17614 for ; Mon, 16 Jul 2001 10:17:17 -0400 (EDT) Received: from bby_mail.norsat.com [209.53.254.90] by drcoffsite.com with ESMTP (SMTPD32-5.05) id A3AA85F0278; Mon, 16 Jul 2001 10:01:14 -0400 Received: from KFERENS ([192.168.254.52]) by bby_mail.norsat.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 3GYLW98W; Mon, 16 Jul 2001 07:10:32 -0700 Reply-To: From: "Ken Ferens" To: Subject: RE: RFC question Date: Mon, 16 Jul 2001 09:08:30 -0500 Message-ID: <000601c10e00$cba06580$34fea8c0@kferens> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0007_01C10DD6.E2CBE420" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <59358A738F45D51186A30008C74CE25002D631@slc-exc1.ctron.com> Importance: Normal Precedence: bulk Sender: VRRP-owner@drcoffsite.com This is a multi-part message in MIME format. ------=_NextPart_000_0007_01C10DD6.E2CBE420 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: 7bit RFC questionCan someone tell me if Windows 2000 supports VRRP? And, what OS's do support VRRP? Thank you, Ken -----Original Message----- From: VRRP-owner@drcoffsite.com [mailto:VRRP-owner@drcoffsite.com]On Behalf Of Pace, Aaron Sent: Monday, July 16, 2001 8:32 AM To: 'vrrp@drcoffsite.com' Subject: RFC question Hello all, In the RFC, page 17, it is stated that the VRRP router, while in master state, MUST NOT accept packets addressed to the IP address(es) associated with the virtual router if it is not the IP address owner. Was there a specific foreseen problem that prompted this limitation? Any input would be much appreciated. Thanks, Aaron Pace ------=_NextPart_000_0007_01C10DD6.E2CBE420 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable RFC question

Can=20 someone tell me if Windows 2000 supports VRRP?

And,=20 what OS's do support VRRP?

Thank=20 you,

Ken

-----Original Message-----
From: = VRRP-owner@drcoffsite.com=20 [mailto:VRRP-owner@drcoffsite.com]On Behalf Of Pace,=20 Aaron
Sent: Monday, July 16, 2001 8:32 AM
To: 'vrrp@drcoffsite.com'
Sub= ject:=20 RFC question

Hello all,

In the RFC, page 17, it is stated that the VRRP = router, while=20 in master state, MUST NOT accept packets addressed to the IP = address(es)=20 associated with the virtual router if it is not the IP address = owner. =20 Was there a specific foreseen problem that prompted this = limitation? Any=20 input would be much appreciated.

Thanks,
Aaron Pace=20

------=_NextPart_000_0007_01C10DD6.E2CBE420-- From VRRP-owner@drcoffsite.com Tue Jul 17 02:39:45 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id CAA04492 for ; Tue, 17 Jul 2001 02:39:45 -0400 (EDT) Received: from web10601.mail.yahoo.com [216.136.130.165] by drcoffsite.com (SMTPD32-5.05) id A814451006E; Tue, 17 Jul 2001 02:15:48 -0400 Message-ID: <20010717061834.71385.qmail@web10601.mail.yahoo.com> Received: from [63.99.114.2] by web10601.mail.yahoo.com via HTTP; Mon, 16 Jul 2001 23:18:34 PDT Date: Mon, 16 Jul 2001 23:18:34 -0700 (PDT) From: danny mitzel Subject: Re: RFC question To: "Pace, Aaron" , "'vrrp@drcoffsite.com'" In-Reply-To: <59358A738F45D51186A30008C74CE25002D631@slc-exc1.ctron.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Precedence: bulk Sender: VRRP-owner@drcoffsite.com --- "Pace, Aaron" wrote: > In the RFC, page 17, it is stated that the VRRP > router, while in master > state, MUST NOT accept packets addressed to the IP > address(es) associated > with the virtual router if it is not the IP address > owner. Was there a > specific foreseen problem that prompted this > limitation? Any input would be > much appreciated. a couple goals of the working group was to 1) improve detection of failure state, and 2) reduce chances of misdirected management operations. regarding (1) there are some high availability solutions that make it very difficult for standard management tools (ping, SNMP, etc.) to detect failures because a backup responds to these requests for the failed over addresses. for (2), similarly if the backup performs local termination of connections and management requests then the administrator may mistakenly apply a configuration to the backup that was intended to be directed at the address owner. the working group took a conservative approach of disallowing any local termination or response related to the adopted address, which eliminates problems related to (1) and (2). in my experience these decisions seem to have worked well. however a significant confusion introduced during a failover is a user cannot elicit a ping response from their first hop default router yet the IP forwarding service is uninterrupted. :-( __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ From VRRP-owner@drcoffsite.com Fri Jul 20 02:08:47 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id CAA12433 for ; Fri, 20 Jul 2001 02:08:45 -0400 (EDT) Received: from huaweimail.in.huawei.com [203.197.168.164] by drcoffsite.com with ESMTP (SMTPD32-5.05) id A74BF5270084; Fri, 20 Jul 2001 01:53:15 -0400 Received: by HUAWEIMAIL with Internet Mail Service (5.5.2653.19) id <354Q6Y76>; Fri, 20 Jul 2001 11:29:08 +0500 Message-ID: <751B6DD7A243D511AB9F0002557C5687834D55@HUAWEIMAIL> From: prakashar@in.huawei.com To: vrrp@drcoffsite.com Subject: MAC frame with real MAC address Date: Fri, 20 Jul 2001 11:29:05 +0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C110E5.463777C0" Precedence: bulk Sender: VRRP-owner@drcoffsite.com This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C110E5.463777C0 Content-Type: text/plain; charset="iso-8859-1" Hello, Apologies if the following questions are already answered on this list. When a VRRP master router (who is also the IP address owner), receives a MAC frame with its real MAC address, should it use virtual MAC address when it is responding to this frame ? Also, could I have the web page URL which is maintaining FAQ for the VRRP? Thanks in advance, Cheers, Prakash ------_=_NextPart_001_01C110E5.463777C0 Content-Type: text/html; charset="iso-8859-1" MAC frame with real MAC address

Hello,

Apologies if the following questions are already
answered on this list.

When a VRRP master router (who is also the IP address
owner), receives a MAC frame with its real MAC address,
should it use virtual MAC address when it is responding
to this frame ?

Also, could I have the web page URL which is maintaining
FAQ for the VRRP?

Thanks in advance,

Cheers,
Prakash

------_=_NextPart_001_01C110E5.463777C0-- From VRRP-owner@drcoffsite.com Fri Jul 20 12:04:38 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA13972 for ; Fri, 20 Jul 2001 12:04:36 -0400 (EDT) Received: from web10501.mail.yahoo.com [216.136.130.151] by drcoffsite.com (SMTPD32-5.05) id A2B7671703B4; Fri, 20 Jul 2001 11:48:07 -0400 Message-ID: <20010720155052.22458.qmail@web10501.mail.yahoo.com> Received: from [4.18.161.27] by web10501.mail.yahoo.com via HTTP; Fri, 20 Jul 2001 08:50:52 PDT Date: Fri, 20 Jul 2001 08:50:52 -0700 (PDT) From: Vikram Subject: ttl = 255 and scope limited to lan ..why? To: vrrp@drcoffsite.com MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Precedence: bulk Sender: VRRP-owner@drcoffsite.com hi folks, RFC says that ttl shld always be set to 255 in vrrp pkt. and also that the scope of each VR is restricted to a single lan. If that is the case wouldnt it better if the ttl was set to 1 instead? The backup will always be in the same lan so it will recieve the pkt nonetheless. Thanks Regards, Vikram ===== ---- NO sense being pessimistic. It wouldnt work anyway __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ From VRRP-owner@drcoffsite.com Fri Jul 20 12:59:14 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA28118 for ; Fri, 20 Jul 2001 12:59:13 -0400 (EDT) Received: from mailhost.iprg.nokia.com [205.226.5.12] by drcoffsite.com with ESMTP (SMTPD32-5.05) id A094BFE03B2; Fri, 20 Jul 2001 12:47:16 -0400 Received: from darkstar.iprg.nokia.com (darkstar.iprg.nokia.com [205.226.5.69]) by mailhost.iprg.nokia.com (8.9.3/8.9.3-GLGS) with ESMTP id JAA20896; Fri, 20 Jul 2001 09:49:55 -0700 (PDT) Received: (from root@localhost) by darkstar.iprg.nokia.com (8.11.0/8.11.0-DARKSTAR) id f6KGntx24993; Fri, 20 Jul 2001 09:49:55 -0700 X-mProtect: Fri, 20 Jul 2001 09:49:55 -0700 Nokia Silicon Valley Messaging Protection Received: from rebempire.iprg.nokia.com (205.226.1.181) by darkstar.iprg.nokia.com(P1.5 smtpdqr8WCk; Fri, 20 Jul 2001 09:49:54 PDT Received: from rebempire.iprg.nokia.com (localhost [127.0.0.1]) by rebempire.iprg.nokia.com (8.9.3/8.6.12) with ESMTP id JAA11207; Fri, 20 Jul 2001 09:49:53 -0700 (PDT) Message-Id: <200107201649.JAA11207@rebempire.iprg.nokia.com> X-Mailer: exmh version 2.1.1 10/15/1999 To: Vikram cc: vrrp@drcoffsite.com, hunt@iprg.nokia.com Subject: Re: ttl = 255 and scope limited to lan ..why? In-reply-to: Your message of "Fri, 20 Jul 2001 08:50:52 PDT." <20010720155052.22458.qmail@web10501.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 20 Jul 2001 09:49:52 -0700 From: Peter Hunt Precedence: bulk Sender: VRRP-owner@drcoffsite.com > RFC says that ttl shld always be set to 255 in vrrp pkt. and also that > the scope of each VR is restricted to a single lan. If that is the case > wouldnt it better if the ttl was set to 1 instead? It's possible that a packet with ttl of 1 originated from more than 1 hop away. So it would be possible to inject protocol packets from another network. By requiring a ttl of 255, you can ensure that protocol packets weren't forwarded from another network. Peter. From VRRP-owner@drcoffsite.com Fri Jul 20 13:35:22 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA08123 for ; Fri, 20 Jul 2001 13:35:21 -0400 (EDT) Received: from web10507.mail.yahoo.com [216.136.130.157] by drcoffsite.com (SMTPD32-5.05) id A8E6145903B2; Fri, 20 Jul 2001 13:22:46 -0400 Message-ID: <20010720172532.78714.qmail@web10507.mail.yahoo.com> Received: from [4.18.161.27] by web10507.mail.yahoo.com via HTTP; Fri, 20 Jul 2001 10:25:32 PDT Date: Fri, 20 Jul 2001 10:25:32 -0700 (PDT) From: Vikram Subject: Re: ttl = 255 and scope limited to lan ..why? To: Peter Hunt Cc: vrrp@drcoffsite.com In-Reply-To: <200107201649.JAA11207@rebempire.iprg.nokia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Precedence: bulk Sender: VRRP-owner@drcoffsite.com well if you send out pkts with ttl=1 in first place, it will not travel more than one hop anyways. Also if you are a multicast router then you shhould never forward a datagram with addresses of 244.0.0.x as destination,regardless of ttl. So the possibility of originating from more than one hop away doesnt exist ie receving a misconfigured packet. And besides,the vrrp pkt shld also clear numerous other checks to be accepted as a valid vrrp pkt- ie Authenication issues. Vikram --- Peter Hunt wrote: > > RFC says that ttl shld always be set to 255 in vrrp pkt. and also > that > > the scope of each VR is restricted to a single lan. If that is the > case > > wouldnt it better if the ttl was set to 1 instead? > > It's possible that a packet with ttl of 1 originated from more than 1 > hop away. So it would be possible to inject protocol packets from > another > network. > > By requiring a ttl of 255, you can ensure that protocol packets > weren't > forwarded from another network. > > Peter. > ===== ---- NO sense being pessimistic. It wouldnt work anyway __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ From VRRP-owner@drcoffsite.com Fri Jul 20 14:14:31 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id OAA16315 for ; Fri, 20 Jul 2001 14:14:30 -0400 (EDT) Received: from cbsvr1.crossbeamsys.com [63.96.67.2] by drcoffsite.com with ESMTP (SMTPD32-5.05) id A21D10380364; Fri, 20 Jul 2001 14:02:05 -0400 Received: by CBSVR1 with Internet Mail Service (5.5.2650.21) id ; Fri, 20 Jul 2001 14:02:25 -0400 Message-ID: From: "A. K. Srikanth" To: "'Vikram'" Cc: "'vrrp@drcoffsite.com'" Subject: RE: ttl = 255 and scope limited to lan ..why? Date: Fri, 20 Jul 2001 14:02:24 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C11146.215A6000" Precedence: bulk Sender: VRRP-owner@drcoffsite.com This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C11146.215A6000 Content-Type: text/plain; charset="iso-8859-1" Well the point is that if I sent a packet with TTL 3 from 2 hops away it will be 1 by the time it reaches the router in question..The bottomline being it is not possible to tell how many hops (routers) a packet has been through when it reaches you with a TTL of 1 whereas you can always tell that it has not gone through a router if the packet has a TTL of 255 when it reaches you. Thanks, Srikanth > > > > > -----Original Message----- > > From: Vikram [mailto:philosopher203@yahoo.com] > > Sent: Friday, July 20, 2001 1:26 PM > > To: Peter Hunt > > Cc: vrrp@drcoffsite.com > > Subject: Re: ttl = 255 and scope limited to lan ..why? > > > > > > well if you send out pkts with ttl=1 in first place, it will > > not travel > > more than one hop anyways. > > > > Also if you are a multicast router then you shhould never forward a > > datagram with addresses of 244.0.0.x as > > destination,regardless of ttl. > > > > So the possibility of originating from more than one hop away doesnt > > exist ie receving a misconfigured packet. > > > > And besides,the vrrp pkt shld also clear numerous other checks to be > > accepted as a valid vrrp pkt- ie Authenication issues. > > > > Vikram > > > > --- Peter Hunt wrote: > > > > RFC says that ttl shld always be set to 255 in vrrp > pkt. and also > > > that > > > > the scope of each VR is restricted to a single lan. If > that is the > > > case > > > > wouldnt it better if the ttl was set to 1 instead? > > > > > > It's possible that a packet with ttl of 1 originated from > > more than 1 > > > hop away. So it would be possible to inject protocol packets from > > > another > > > network. > > > > > > By requiring a ttl of 255, you can ensure that protocol packets > > > weren't > > > forwarded from another network. > > > > > > Peter. > > > > > > > > > ===== > > ---- > > NO sense being pessimistic. It wouldnt work anyway > > > > __________________________________________________ > > Do You Yahoo!? > > Get personalized email addresses from Yahoo! Mail > > http://personal.mail.yahoo.com/ > > > ------_=_NextPart_001_01C11146.215A6000 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: ttl =3D 255 and scope limited to lan ..why?

Well the point is that if I sent a packet with TTL 3 = from 2 hops away it will be 1 by the time it reaches the router = in question..The bottomline being it is not possible to tell how = many hops (routers) a packet has been through when it reaches you with = a TTL of 1 whereas you can always tell that it has not gone through a = router if the packet has a TTL of 255 when it reaches you.

Thanks,
Srikanth
>
>
>
> > -----Original Message-----
> > From: Vikram [mailto:philosopher203@yahoo.com= ]
> > Sent: Friday, July 20, 2001 1:26 PM
> > To: Peter Hunt
> > Cc: vrrp@drcoffsite.com
> > Subject: Re: ttl =3D 255 and scope limited = to lan ..why?
> >
> >
> > well if you send out pkts with ttl=3D1 in = first place, it will
> > not travel
> > more than one hop anyways.
> >
> > Also if you are a multicast router then = you shhould never forward a
> > datagram with addresses of 244.0.0.x as =
> > destination,regardless of ttl.
> >
> > So the possibility of originating from = more than one hop away doesnt
> > exist ie receving a misconfigured = packet.
> >
> > And besides,the vrrp pkt shld also clear = numerous other checks to be
> > accepted as a valid vrrp pkt- ie = Authenication issues.
> >
> > Vikram
> >
> > --- Peter Hunt <hunt@IPRG.nokia.com> = wrote:
> > > > RFC says that ttl shld always be = set to 255 in vrrp
> pkt. and also
> > > that
> > > > the scope of each VR is = restricted to a single lan. If
> that is the
> > > case
> > > > wouldnt it better if the ttl was = set to 1 instead?
> > >
> > > It's possible that a packet with ttl = of 1 originated from
> > more than 1
> > > hop away. So it would be possible to = inject protocol packets from
> > > another
> > > network.
> > >
> > > By requiring a ttl of 255, you can = ensure that protocol packets
> > > weren't
> > > forwarded from another = network.
> > >
> > > Peter.
> > >
> >
> >
> > =3D=3D=3D=3D=3D
> > ----
> > NO sense being pessimistic. It wouldnt = work anyway
> >
> > = __________________________________________________
> > Do You Yahoo!?
> > Get personalized email addresses from = Yahoo! Mail
> > http://personal.mail.yahoo.com/
> >
>

------_=_NextPart_001_01C11146.215A6000-- From VRRP-owner@drcoffsite.com Fri Jul 20 15:04:49 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA02989 for ; Fri, 20 Jul 2001 15:04:48 -0400 (EDT) Received: from web10503.mail.yahoo.com [216.136.130.153] by drcoffsite.com (SMTPD32-5.05) id AE28CE710370; Fri, 20 Jul 2001 14:53:28 -0400 Message-ID: <20010720185614.27184.qmail@web10503.mail.yahoo.com> Received: from [4.18.161.27] by web10503.mail.yahoo.com via HTTP; Fri, 20 Jul 2001 11:56:14 PDT Date: Fri, 20 Jul 2001 11:56:14 -0700 (PDT) From: Vikram Subject: RE: ttl = 255 and scope limited to lan ..why? To: vrrp@drcoffsite.com In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Precedence: bulk Sender: VRRP-owner@drcoffsite.com There are two things here: First is you must send out a packet with TTL 1 only.if you are doing it on purpose (and if receiver is concerned abt security) u will be having the authentication fields to be taken care of. Second is a rather interesting point which I am not sure of: Suppose you have the following config: ------- | A | -------- 1| ----------LAN1 |2 ------- | B | -------- 3| ---------------LAN2 |4 -------- | C | --------- A,B,C are all routers on which '3'is backing up '4' and '2' is backing up '1'(just presume B has all the prereq to backup both A,C not necessarily shown in fig) Thus both 2,and 3 will join the vrrp grp(112) Thus if you(B) get a vrrp pkt from LAN2 u check to see if u r subscribed for this group on 3 {<3,112> tuple} and if yes you process it.Your incoming interface table will have <3,112> entry and so you will process this pkt (ie send it to intended application(vrrp) in ur box) Now an application(vrrp) on the box B has subscribed to receive pkts which come in from 2(ingress side) also. Thus if you forward the packet internally from 3 to 2 (ie to egress side of 2) that is either 1. wrong implementation of mcast functionality. or 2.will never happen coz the outgoing interface table will not have the <2,112> entry. thus while our incoming interface tables will contain two entries <2,112>,<3,112> our outgoing interface tables shouldnt contain anything so question of forwarding doesnt arise. I am not fully sure if my hypothesis for case 2 is right. Please do let me know. Thanks Vikram --- "A. K. Srikanth" wrote: > Well the point is that if I sent a packet with TTL 3 from 2 hops away > it > will be 1 by the time it reaches the router in question..The > bottomline > being it is not possible to tell how many hops a packet has been > through > when it reaches you with a TTL of 1 whereas you can always tell that > it has > not gone through a router if the packet has a TTL of 255 when it > reaches > you. > > > > Thanks, > Srikanth > > > > > -----Original Message----- > > From: Vikram [mailto:philosopher203@yahoo.com] > > Sent: Friday, July 20, 2001 1:26 PM > > To: Peter Hunt > > Cc: vrrp@drcoffsite.com > > Subject: Re: ttl = 255 and scope limited to lan ..why? > > > > > > well if you send out pkts with ttl=1 in first place, it will > > not travel > > more than one hop anyways. > > > > Also if you are a multicast router then you shhould never forward a > > datagram with addresses of 244.0.0.x as > > destination,regardless of ttl. > > > > So the possibility of originating from more than one hop away > doesnt > > exist ie receving a misconfigured packet. > > > > And besides,the vrrp pkt shld also clear numerous other checks to > be > > accepted as a valid vrrp pkt- ie Authenication issues. > > > > Vikram > > > > --- Peter Hunt wrote: > > > > RFC says that ttl shld always be set to 255 in vrrp pkt. and > also > > > that > > > > the scope of each VR is restricted to a single lan. If that is > the > > > case > > > > wouldnt it better if the ttl was set to 1 instead? > > > > > > It's possible that a packet with ttl of 1 originated from > > more than 1 > > > hop away. So it would be possible to inject protocol packets from > > > another > > > network. > > > > > > By requiring a ttl of 255, you can ensure that protocol packets > > > weren't > > > forwarded from another network. > > > > > > Peter. > > > > > > > > > ===== > > ---- > > NO sense being pessimistic. It wouldnt work anyway > > > > __________________________________________________ > > Do You Yahoo!? > > Get personalized email addresses from Yahoo! Mail > > http://personal.mail.yahoo.com/ > > > ===== ---- NO sense being pessimistic. It wouldnt work anyway __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ From VRRP-owner@drcoffsite.com Fri Jul 20 22:47:04 2001 Received: from drcoffsite.com (dns1.drcoffsite.com [216.177.20.114]) by ietf.org (8.9.1a/8.9.1a) with SMTP id WAA11822 for ; Fri, 20 Jul 2001 22:47:03 -0400 (EDT) Received: from shell-beach.layer8.net [216.231.56.189] by drcoffsite.com (SMTPD32-5.05) id AA1FB0903E8; Fri, 20 Jul 2001 22:34:07 -0400 Received: (qmail 64583 invoked by uid 1000); 21 Jul 2001 02:35:10 -0000 Date: Fri, 20 Jul 2001 19:35:10 -0700 From: Ben Black To: Vikram Cc: vrrp@drcoffsite.com Subject: Re: ttl = 255 and scope limited to lan ..why? Message-ID: <20010720193509.A60528@layer8.net> References: <20010720185614.27184.qmail@web10503.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010720185614.27184.qmail@web10503.mail.yahoo.com>; from philosopher203@yahoo.com on Fri, Jul 20, 2001 at 11:56:14AM -0700 Precedence: bulk Sender: VRRP-owner@drcoffsite.com You are completely ignoring malicious applications. While it is very unlikely that someone would misconfigure their devices in such a way that VRRP link local multicasts are forwarded, the cost of using a TTL of 255 to guarantee that a packet was not forwarded is essentially nil. What is the benefit of using a TTL of 1? Ben On Fri, Jul 20, 2001 at 11:56:14AM -0700, Vikram wrote: > > There are two things here: > First is you must send out a packet with TTL 1 only.if you are doing it > on purpose (and if receiver is concerned abt security) u will be having > the authentication fields to be taken care of. > Second is a rather interesting point which I am not sure of: > > Suppose you have the following config: > > ------- > | A | > -------- > 1| > ----------LAN1 > |2 > ------- > | B | > -------- > 3| > ---------------LAN2 > |4 > -------- > | C | > --------- > > A,B,C are all routers on which '3'is backing up '4' and > '2' is backing up '1'(just presume B has all the prereq to backup both > A,C not necessarily shown in fig) Thus both 2,and 3 will join the vrrp > grp(112) > Thus if you(B) get a vrrp pkt from LAN2 u check to see if u r > subscribed > for this group on 3 {<3,112> tuple} and if yes you process it.Your > incoming interface table will have <3,112> entry and so you will > process this pkt (ie send it to intended application(vrrp) in ur box) > > Now an application(vrrp) on the box B has subscribed to receive pkts > which come in from 2(ingress side) also. Thus if you forward the packet > internally from 3 to 2 (ie to egress side of 2) that is either > 1. wrong implementation of mcast functionality. or > 2.will never happen coz the outgoing interface table will not have the > <2,112> entry. > > thus while our incoming interface tables will contain two entries > <2,112>,<3,112> our outgoing interface tables shouldnt contain anything > so question of forwarding doesnt arise. > > I am not fully sure if my hypothesis for case 2 is right. Please do let > me know. > > Thanks > > Vikram > > --- "A. K. Srikanth" wrote: > > Well the point is that if I sent a packet with TTL 3 from 2 hops away > > it > > will be 1 by the time it reaches the router in question..The > > bottomline > > being it is not possible to tell how many hops a packet has been > > through > > when it reaches you with a TTL of 1 whereas you can always tell that > > it has > > not gone through a router if the packet has a TTL of 255 when it > > reaches > > you. > > > > > > > > Thanks, > > Srikanth > > > > > > > > > -----Original Message----- > > > From: Vikram [mailto:philosopher203@yahoo.com] > > > Sent: Friday, July 20, 2001 1:26 PM > > > To: Peter Hunt > > > Cc: vrrp@drcoffsite.com > > > Subject: Re: ttl = 255 and scope limited to lan ..why? > > > > > > > > > well if you send out pkts with ttl=1 in first place, it will > > > not travel > > > more than one hop anyways. > > > > > > Also if you are a multicast router then you shhould never forward a > > > datagram with addresses of 244.0.0.x as > > > destination,regardless of ttl. > > > > > > So the possibility of originating from more than one hop away > > doesnt > > > exist ie receving a misconfigured packet. > > > > > > And besides,the vrrp pkt shld also clear numerous other checks to > > be > > > accepted as a valid vrrp pkt- ie Authenication issues. > > > > > > Vikram > > > > > > --- Peter Hunt wrote: > > > > > RFC says that ttl shld always be set to 255 in vrrp pkt. and > > also > > > > that > > > > > the scope of each VR is restricted to a single lan. If that is > > the > > > > case > > > > > wouldnt it better if the ttl was set to 1 instead? > > > > > > > > It's possible that a packet with ttl of 1 originated from > > > more than 1 > > > > hop away. So it would be possible to inject protocol packets from > > > > another > > > > network. > > > > > > > > By requiring a ttl of 255, you can ensure that protocol packets > > > > weren't > > > > forwarded from another network. > > > > > > > > Peter. > > > > > > > > > > > > > ===== > > > ---- > > > NO sense being pessimistic. It wouldnt work anyway > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Get personalized email addresses from Yahoo! Mail > > > http://personal.mail.yahoo.com/ > > > > > > > > ===== > ---- > NO sense being pessimistic. It wouldnt work anyway > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail > http://personal.mail.yahoo.com/