Thursday, October 11, 2007

OpenBSD carp incorrect hash

It's been a long time since I've posted anything here, and to you loyal readers (ha!), I apologize. I took on a new job in June, and have been spending all my energy building a new corporate data center essentially from scratch. It's a valuable experience, but time consuming. I really haven't done much true security work.

One project that I've been involved in was building a pair of redundant OpenBSD (4.1, 4.2) firewalls for the network. We ran into an interesting issue with CARP. Each firewall was complaining that the other was sending CARP packets that were corrupted, generating a log error of:

carp0: incorrect hash

On firewall1, our /etc/hostname.carp0 looked like:

inet 10.1.1.1 255.255.255.0 10.1.1.255 vhid 1 pass FunkyPassword advskew 1
inet alias 10.1.1.2 255.255.255.255
inet alias 10.1.1.3 255.255.255.255
inet alias 10.1.1.4 255.255.255.255
inet alias 10.1.1.5 255.255.255.255
inet alias 10.1.1.6 255.255.255.255

On firewall2, our /etc/hostname.carp0 looked like:

inet 10.1.1.1 255.255.255.0 10.1.1.255 vhid 1 pass FunkyPassword advskew 2
inet alias 10.1.1.2 netmask 255.255.255.255
inet alias 10.1.1.3 netmask 255.255.255.255
inet alias 10.1.1.4 netmask 255.255.255.255
inet alias 10.1.1.5 netmask 255.255.255.255
inet alias 10.1.1.6 netmask 255.255.255.255

In the manner in which I presented it here, the error should jump out almost immediately, however we were focused on the carp interface line (the first one), not on the aliases. Turns out that CARP packet hashes are based on ALL the uncommented information in /etc/hostname.carp0. The only difference should be the advskew value.

As always, the moral of the story, typos/details matter.

Hope this helps others not waste their time like I did :)

Rich

Labels: , ,

2 Comments:

At 12:39 PM, Blogger Unknown said...

thank you very much, my problem was the differenzes between the 2 hostname.carp0 in the 2 pc.

thanks
bye
Emiliano

 
At 7:44 AM, Blogger Olaf Barthel said...

I beg to differ... We had our share of CARP troubles, and it turned out that the interface configuration files differed with respect to the interface IP alias list in one single line.

Digging through the kernel source code, specifically the carp_hmac_prepare() function in netinet/ip_carp.c explained how the mismatching hashes came about.

It is not the content of all the uncommented lines in the CARP interface configuration that determines the hash value. It's "just" the fundamental configuration in the first line and all the IP address aliases that follow the first line.

The order in which the IP addresses are hashed is well-defined, but a difference in the IP address aliases, maybe due to a humble typo, will make the difference between a failing and an operational CARP installation.

 

Post a Comment

<< Home