From owner-freebsd-current@FreeBSD.ORG  Sun Mar 13 13:19:35 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F171516A4CE
	for <current@freebsd.org>; Sun, 13 Mar 2005 13:19:34 +0000 (GMT)
Received: from smtp02.net-yan.com (smtp02.hgcbroadband.com [210.0.255.157])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1256B43D49
	for <current@freebsd.org>; Sun, 13 Mar 2005 13:19:34 +0000 (GMT)
	(envelope-from sam.wun@authtec.com)
Received: (qmail 92817 invoked from network); 13 Mar 2005 13:19:33 -0000
Received: from unknown (HELO [192.168.4.235])
	(samwun@hgcbroadband.com@[221.126.232.37])
	(envelope-sender <sam.wun@authtec.com>)
	by localhost (qmail-ldap-1.03) with SMTP
	for <current@freebsd.org>; 13 Mar 2005 13:19:33 -0000
Message-ID: <42343DD6.1090702@authtec.com>
Date: Sun, 13 Mar 2005 21:19:18 +0800
From: sam wun <sam.wun@authtec.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.7) Gecko/20040616
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: current@freebsd.org
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: Unauthorized PF CARP server bring down network connection
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2005 13:19:35 -0000

David Magda wrote:

> sam <sam.wun@authtec.com> writes:
>
>
>> Is this a bug? logically the existing PF CARP server should not be
>> interrupted by unauthorized VRRP packet because password is
>> unmatched. I intentionally wide open the PF rules allow all hosts
>> in the LAN can talk to the CARP server. If I drop all unauthorized
>> packets, the existing CARP server has no affected.
>
>
>
> Did you use a different ID number for the new CARP server?
>
> Each 'cluster' of CARP servers must have a different ID number. The
> numbers go from 0 to 255. If you don't specify one a default may be
> chosen. Double check the man pages.
>
The simpliest form should not rely on the id number, it should check for 
authentication the password only. If password is unmatched, there is no 
reason to continue the communication.

Btw, the ID number can be spoofed VERY easily.

Sam.