On 6 May 2014 15:17, David Conrad <drc@virtualized.org> wrote:
Constantine,
On May 6, 2014, at 4:15 PM, Constantine A. Murenin <mureninc@gmail.com> wrote:
Protocol 112 was assigned by IANA for VRRP in 1998.
When did OpenBSD choose to squat on 112?
If you don't use it, you lose it.
Are you suggesting no one is running VRRP? Surprising given RFC 5798.
By the way, according to Wikipedia, it would seem the OpenBSD developers decided to squat on 112 in 2003, 5 years after 112 was assigned.
Your point being?
There are only so many protocol numbers; out of those potentially available and non-conflicting,
Yes. That is exactly why most responsible and professional developers work with IANA to obtain the assignments they need instead of intentionally squatting on numbers, particularly numbers known to be already assigned.
it was deemed the best choice to go with the protocol number that was guaranteed to be useless otherwise.
Except it wasn't useless: it was, in fact, in use by VRRP. Further, the OpenBSD developers chose to squat on 240 for pfsync - a number that has not yet been allocated. If the OpenBSD developers were so concerned about making the best choice, it seems odd they chose an allocated number for one protocol and an unallocated number for another protocol.
Can you explain why exactly do you find this odd? VRRP/HSRP have had only one protocol number allocated to it; it's not like it had two, so, another one had to come out of somewhere else.
To be honest, it would seem from appearances that OpenBSD's use of 112 was deemed a "cute" (that is, unprofessional and irresponsible) way for the OpenBSD developers to say 'screw you' to the IETF, IANA, Cisco, network operators, etc. The fact that OpenBSD developers continue to defend this choice is one reason why I won't run OpenBSD (or CARP).
Any complaints for Google using the https port 443 for SPDY?
AFAIK, the use of SPDY does not preclude the use of HTTPS on the same network. The fact that in addition to the OpenBSD developers choosing to use 112, they also chose to use the MAC addresses used for VRRP, thus making it impossible to run both VRRP and CARP on the same network due to MAC address conflicts would suggest you might want to pick a better analogy.
Well, that's kinda the issue here -- the comparison with SPDY is actually quite valid. I haven't seen any facts that CARP actually precludes you from using VRRP on your network, unless you use broken VRRP/HSRP implementations (BTW, did you thank OpenBSD for forcing Cisco to fix those? or would you rather retain an extra attack vector for your routers?), or configure CARP and VRRP to use the same MAC addresses through the same Virtual ID setting (user error), when clearly a choice is available. On the contrary, it's actually clearly and unambiguously confirmed in this very thread that both could coexist just fine: http://mailman.nanog.org/pipermail/nanog/2014-April/066529.html . So, then the only problem, perhaps, is that noone has apparently bothered to explicitly document that both VRRP and CARP use 00:00:5e:00:01:xx MAC addresses, and that the "xx" part comes from the "Virtual Router IDentifier (VRID)" in VRRP and "virtual host ID (VHID)" in CARP, providing a colliding namespace, so, one cannot run both with the same Virtual ID on the same network segment. Why exactly is this not documented? You could always claim, "politics", and it probably was back then 10 years ago when this story developed; but, in today's reality, OpenBSD is quite well known for its minimalism in all things UNIX, just as Apple in all things visual design. The likelihood of someone mixing CARP and VRRP, on the same network segment / same VLAN, and with the same Virtual IDs, and without ever hearing of the controversies from which CARP had to be born (and being curious of the origins of the "cute" name), seems quite small to me. So, documenting it at this point would be quite pointless, if not only for the future generations or Google reference. So, just as always, much ado about nothing. If someone sends a good documentation patch, without making the change seem out of place, it'll probably be committed into the tree shortly. C.