Bug 166462 - [gre] gre(4) when using a tunnel source address from carp(4) doesn't honor the MASTER/BACKUP state
Summary: [gre] gre(4) when using a tunnel source address from carp(4) doesn't honor th...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 8.2-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-28 06:40 UTC by Eugene M. Zheganin
Modified: 2017-12-31 22:32 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eugene M. Zheganin 2012-03-28 06:40:09 UTC 
When using a HA system of two nodes for corporate VPN I encountered a problem:

Imagine node A and B share the same public ip address on their carp(4) interface.
Imagine A and B have a gre(4) interface, and its tunnel source address is the carp(4) address.
Imagine there is an ospf daemon running on those gre(4) interfaces.

Then the OSPF neiborship will be constantly reestablished, because A and B will interfere with OSPF sessions of each other.

This happens because both nodes will send a HELO packet, and the backup node isn't honoring its BACKUP state properly.

Fix: 

Use IPSEC with 'required' policies. This will prevent the backup node from establishing SA, thus preventing the tunnel from working.
How-To-Repeat: Build a setup mentioned above. Use OSPF or just try to send icmp packets via the tunnel from the BACKUP node.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2012-03-28 06:58:53 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-net

Over to maintainer(s).
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:58:27 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped