Manuel Mausz
2014-05-26 13:17:48 UTC
Hi list,
we recently run into an interoptability issue with two different vendors
using VRRP v3 with IPv4. The issue is: vendor #1 is calculating the
checksum with, vendor #2 without IPv4 pseudoheader.
The RFC isn't exactly clear about the IPv4 case. Section 5.2.8 mainly
cares about IPv6 ("next header field") and the reference is about IPv6 only.
There has already been some discussion about this ambiguity in 2012.
Sadly without any clear outcome. The discussion can be found at:
https://www.ietf.org/mail-archive/web/vrrp/current/msg01466.html
I've already contacted one of the vendors and as you might already guess
they fail to see any RFC violation.
Also the wireshark developers don't really know which checksum is
correct. They started to calculate the checksum with IPv4 pseudoheader
but recently added a knob to support both possible interpretations:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a653014e69a4f0e0b59393ddc03871006057b36a
Calculating the checksum without IPv4 pseudoheader results in exactly
the same paket as using VRRP v2. The only difference is the version
field. At least as long you don't do any VRRP v2 authentication.
It would be nice if there can finally be some clarification.
thanks,
manuel
we recently run into an interoptability issue with two different vendors
using VRRP v3 with IPv4. The issue is: vendor #1 is calculating the
checksum with, vendor #2 without IPv4 pseudoheader.
The RFC isn't exactly clear about the IPv4 case. Section 5.2.8 mainly
cares about IPv6 ("next header field") and the reference is about IPv6 only.
There has already been some discussion about this ambiguity in 2012.
Sadly without any clear outcome. The discussion can be found at:
https://www.ietf.org/mail-archive/web/vrrp/current/msg01466.html
I've already contacted one of the vendors and as you might already guess
they fail to see any RFC violation.
Also the wireshark developers don't really know which checksum is
correct. They started to calculate the checksum with IPv4 pseudoheader
but recently added a knob to support both possible interpretations:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a653014e69a4f0e0b59393ddc03871006057b36a
Calculating the checksum without IPv4 pseudoheader results in exactly
the same paket as using VRRP v2. The only difference is the version
field. At least as long you don't do any VRRP v2 authentication.
It would be nice if there can finally be some clarification.
thanks,
manuel