US patent 5473599

Constantine A. Murenin mureninc at gmail.com
Wed May 7 01:11:04 UTC 2014


On 6 May 2014 15:17, David Conrad <drc at virtualized.org> wrote:
> Constantine,
>
> On May 6, 2014, at 4:15 PM, Constantine A. Murenin <mureninc at gmail.com> wrote:
>>> Protocol 112 was assigned by IANA for VRRP in 1998.
>>>
>>> When did OpenBSD choose to squat on 112?
>>
>> If you don't use it, you lose it.
>
> Are you suggesting no one is running VRRP? Surprising given RFC 5798.
>
> By the way, according to Wikipedia, it would seem the OpenBSD developers decided to squat on 112 in 2003, 5 years after 112 was assigned.

Your point being?

>
>> There are only so many protocol numbers; out of those potentially
>> available and non-conflicting,
>
> Yes. That is exactly why most responsible and professional developers work with IANA to obtain the assignments they need instead of intentionally squatting on numbers, particularly numbers known to be already assigned.
>
>> it was deemed the best choice to go
>> with the protocol number that was guaranteed to be useless otherwise.
>
> Except it wasn't useless: it was, in fact, in use by VRRP.  Further, the OpenBSD developers chose to squat on 240 for pfsync - a number that has not yet been allocated.  If the OpenBSD developers were so concerned about making the best choice, it seems odd they chose an allocated number for one protocol and an unallocated number for another protocol.

Can you explain why exactly do you find this odd?

VRRP/HSRP have had only one protocol number allocated to it; it's not
like it had two, so, another one had to come out of somewhere else.

>
> To be honest, it would seem from appearances that OpenBSD's use of 112 was deemed a "cute" (that is, unprofessional and irresponsible) way for the OpenBSD developers to say 'screw you' to the IETF, IANA, Cisco, network operators, etc. The fact that OpenBSD developers continue to defend this choice is one reason why I won't run OpenBSD (or CARP).
>
>> Any complaints for Google using the https port 443 for SPDY?
>
> AFAIK, the use of SPDY does not preclude the use of HTTPS on the same network. The fact that in addition to the OpenBSD developers choosing to use 112, they also chose to use the MAC addresses used for VRRP, thus making it impossible to run both VRRP and CARP on the same network due to MAC address conflicts would suggest you might want to pick a better analogy.

Well, that's kinda the issue here -- the comparison with SPDY is
actually quite valid.  I haven't seen any facts that CARP actually
precludes you from using VRRP on your network, unless you use broken
VRRP/HSRP implementations (BTW, did you thank OpenBSD for forcing
Cisco to fix those? or would you rather retain an extra attack vector
for your routers?), or configure CARP and VRRP to use the same MAC
addresses through the same Virtual ID setting (user error), when
clearly a choice is available.  On the contrary, it's actually clearly
and unambiguously confirmed in this very thread that both could
coexist just fine:
http://mailman.nanog.org/pipermail/nanog/2014-April/066529.html .

So, then the only problem, perhaps, is that noone has apparently
bothered to explicitly document that both VRRP and CARP use
00:00:5e:00:01:xx MAC addresses, and that the "xx" part comes from the
"Virtual Router IDentifier (VRID)" in VRRP and "virtual host ID
(VHID)" in CARP, providing a colliding namespace, so, one cannot run
both with the same Virtual ID on the same network segment.

Why exactly is this not documented?  You could always claim,
"politics", and it probably was back then 10 years ago when this story
developed; but, in today's reality, OpenBSD is quite well known for
its minimalism in all things UNIX, just as Apple in all things visual
design.  The likelihood of someone mixing CARP and VRRP, on the same
network segment / same VLAN, and with the same Virtual IDs, and
without ever hearing of the controversies from which CARP had to be
born (and being curious of the origins of the "cute" name), seems
quite small to me.  So, documenting it at this point would be quite
pointless, if not only for the future generations or Google reference.

So, just as always, much ado about nothing.  If someone sends a good
documentation patch, without making the change seem out of place,
it'll probably be committed into the tree shortly.

C.


More information about the NANOG mailing list