Date: Mon, 25 Feb 2019 16:30:59 +0100 From: ASV <asv@inhio.net> To: freebsd-questions@freebsd.org Subject: Re: CARP auth not working on 11.2-RELEASE-p9 Message-ID: <1a47c9a86d170040e88a40849d2a0f73587cdb00.camel@inhio.net> In-Reply-To: <98749ba3046b58a8cba54e6befb976d82d45f900.camel@inhio.net> References: <98749ba3046b58a8cba54e6befb976d82d45f900.camel@inhio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Clarifications: - I know that the implementation on FreeBSD is not the same as the OpenBSD one (as I've been pointed out) - If the authentication is happening through SHA1-HMAC or else is not very important. - The crucial part is to understand if the authentication is working or not and if not is due to a configuration error or a bug. Created also a thread here: https://forums.freebsd.org/threads/carp-auth-not-working-on-11-2-release-p9.69771/#post-418839 Thank you. On Sun, 2019-02-24 at 11:10 +0100, ASV wrote: > Good morning to you all, > I'm experiencing an annoying issue with the new CARP implementation > (changed since FBSD 10+) on two identical FreeBSD 11.2-RELEASE-p9 > servers. > Here the configuration strings in /etc/rc.conf (password same lenght > and type but modified): > SRV1: "inet vhid 1 advskew 0 pass add44c97ec0dcd4568b63770c1fe11ef > alias 10.2.2.130/32" > SRV2: "inet vhid 1 advskew 100 pass add44c97ec0dcd4568b63770c1fe11ef > alias 10.2.2.130/32" > > --- IFCONFIG OUTPUT > SRV1: > vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> > metric 0 mtu 1500 > options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MT > U,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_I > PV6> > ether 1e:44:d1:79:bb:2e > hwaddr 1e:44:d1:79:bb:2e > inet 10.2.2.134 netmask 0xfffffe00 broadcast 10.2.3.255 > inet 10.2.2.130 netmask 0xffffffff broadcast 10.2.2.130 vhid > 1 > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > media: Ethernet 10Gbase-T <full-duplex> > status: active > carp: MASTER vhid 1 advbase 1 advskew 0 > > SRV2: > vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> > metric 0 mtu 1500 > options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MT > U,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_I > PV6> > ether 02:ec:50:e2:9c:16 > hwaddr 02:ec:50:e2:9c:16 > inet 10.2.2.128 netmask 0xfffffe00 broadcast 10.2.3.255 > inet 10.2.2.130 netmask 0xffffffff broadcast 10.2.2.130 vhid > 1 > nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > media: Ethernet 10Gbase-T <full-duplex> > status: active > carp: BACKUP vhid 1 advbase 1 advskew 100 > > As I did't enable the preemption I'm testing the failover manually > and > it works well just as connectivity to the service IP .130. > Everything works very well BUT authentication! > As I've read around some apparent issues with passwords longer than > 32 > chars and I remember years back having troubles with a similar issue > for a redundant PBX setup, I've tested different kind of passwords: > - 8-10 chars random wiht special chars > - 8 chars random no special chars > - 8 chars only letters (big/small) > - 8 chars only letters (no capitals) > - no password at all > > The result is always the same. Therefore, having in production 2 > PFsense clusters at their latest version (2.4.4-RELEASE powered by > FreeBSD 11.2-RELEASE-p6) I've been digging a bit more and I've > realised > that CARP authentication works on the PFsense cluster. > I've dissected the advertisement packets on both, sanitizing with " > --" > the public IP addresses present in the packets, and here is what I > see: > > _____________________________________________________________________ > ___________________________ > --- Packet on FreeBSD, fields of interest between squared brackets > 22:57:50.622956 IP 10.2.2.128 > vrrp.mcast.net: VRRPv2, > Advertisement, vrid 1, prio 100, authtype none, intvl 1s, length 36 > 0x0000: 45 10 00 38 00 00 40 00 ff [70] 8e b1 [0a 02 02 > 80] E..8..@..p...... > 0x0010: [e0 00 00 12] [21] 01 64 07 [00] 01 8c 06 -- -- -- > -- ....!.d......... > 0x0020: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- > -- ................ > 0x0030: -- -- -- -- -- -- -- > -- ........ > > 70 = Protocol VRRP > 0a 02 02 80 = Source IP Address > e0 00 00 12 = Destination IP Address > 21 = VRRP version 2 > 00 = Auth Type: NO AUTHENTICATION > > > --- Packet on PFsense, fields of interest between squared brackets > 23:14:19.556562 IPv4 (0x0800), length 60: XX.XX.XX.XX > 224.0.0.18: > VRRPv2, Advertisement, vrid 101, prio 105, authtype simple, intvl 3s, > length 20 > 0x0000: 45 c0 00 28 00 00 00 00 ff [70] 56 20 [-- -- -- -- > ] E..(.....pV..... > 0x0010: [e0 00 00 12] [21] 65 69 01 [01] 03 ce ff -- -- -- > -- ....!ei......... > 0x0020: [6e 4f 63 6e 4f 63 00 00] 00 00 00 00 00 > 00 nOcnOc........ > > 70 = Protocol VRRP > -- -- -- -- = Source IP Address > e0 00 00 12 = Destination IP Address > 21 = VRRP version 2 > 01 = Auth Type: Simple Text Authentication [RFC 2338] / Reserved [RFC > 3768] (1) > 6e 4f 63 6e .... = Auth string: nOcnOc > _____________________________________________________________________ > ___________________________ > The output is quite clear, the FreeBSD packets are not using any > authentication while the PFsense do and I'd love to know why. :) > The related FreeBSD documentation in the handbook doesn't go into the > details at any time (https://www.freebsd.org/doc/handbook/carp.html) > therefore it's better to get the info from who actually wrote the > tool. > On OpenBSD FAQ pages there's much more: > https://www.openbsd.org/faq/pf/carp.html > and in the specific, under "CARP Operation: > > "In order to prevent a malicious user on the network segment from > spoofing CARP advertisements, each group can be configured with a > password. Each CARP packet sent to the group is then protected by an > SHA1 HMAC." > > This should be most likely a modified version of the one specified in > RFC2338 which states MD5-HMAC but that's another story as CARP is a > re- > writing of VRRP (to my understanding), moreover the RFC is very old > and > MD5 is no longer considered secure, so that's good. > > About the password type/lenght limitation no mention anywhere: > https://man.openbsd.org/carp > https://man.openbsd.org/ifconfig.8#CARP > https://www.freebsd.org/cgi/man.cgi?query=ifconfig&sektion=8&apropos=0&manpath=FreeBSD+12.0-RELEASE+and+Ports > https://www.freebsd.org/cgi/man.cgi?query=carp&apropos=0&sektion=0&manpath=FreeBSD+12.0-RELEASE+and+Ports&arch=default&format=html > > > Am I missing something trivial? > Any hint would be highly appreciated. I have no clue. > Thanks > > > QUOTING SOME RFC REFERENCE > > The RFC3798 doesn't even mention "authentication". So let's talk only > about RFC2338 which has 1 related chapter, the 10th. > 10. Security Considerations > .......... > The protocol includes several > authentication methods ranging from no authentication, simple > clear > text passwords, and strong authentication using IP Authentication > with MD5 HMAC. > .......... > > 10.1 No Authentication > > The use of this authentication type means that VRRP protocol > exchanges are not authenticated. This type of authentication > SHOULD > only be used in environments were there is minimal security risk > and > little chance for configuration errors (e.g., two VRRP routers on > a > LAN). > > 10.2 Simple Text Password > > The use of this authentication type means that VRRP protocol > exchanges are authenticated by a simple clear text password. > .......... > This type of authentication does not protect against > hostile attacks where the password can be learned by a node > snooping > VRRP packets on the LAN. > .......... > > 10.3 IP Authentication Header > The use of this authentication type means the VRRP protocol > exchanges > are authenticated using the mechanisms defined by the IP > Authentication Header [AUTH] using "The Use of HMAC-MD5-96 within > ESP > and AH", [HMAC]. > ..........
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1a47c9a86d170040e88a40849d2a0f73587cdb00.camel>