idnits 2.17.1 draft-ietf-vrrp-spec-v2-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Cannot find the required boilerplate sections (Copyright, IPR, etc.) in this document. Expected boilerplate is as follows today (2024-04-26) according to https://trustee.ietf.org/license-info : IETF Trust Legal Provisions of 28-dec-2009, Section 6.a: This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 2: Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph 3: This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. == No 'Intended status' indicated for this document; assuming Proposed Standard == It seems as if not all pages are separated by form feeds - found 0 form feeds but 31 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. == There are 2 instances of lines with multicast IPv4 addresses in the document. If these are generic example addresses, they should be changed to use the 233.252.0.x range defined in RFC 5771 Miscellaneous warnings: ---------------------------------------------------------------------------- == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: When a VRRP router restarts or boots, it SHOULD not send any ARP messages with its physical MAC address for the IP address it owns, it should only send ARP messages that include Virtual MAC addresses. This may entail: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: A VRRP router SHOULD not forward packets addressed to the IP Address(es) it becomes Master for if it is not the owner. Forwarding these packets would result in unnecessary traffic. Also in the case of LANs that receive packets they transmit (e.g., token ring) this can result in a forwarding loop that is only terminated when the IP TTL expires. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC 2119' is mentioned on line 146, but not defined == Unused Reference: 'RFC2119' is defined on line 1220, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2402 (ref. 'AUTH') (Obsoleted by RFC 4302, RFC 4305) ** Downref: Normative reference to an Informational RFC: RFC 1071 (ref. 'CKSM') ** Downref: Normative reference to an Informational RFC: RFC 2281 (ref. 'HSRP') -- Possible downref: Non-RFC (?) normative reference: ref. 'IPSTB' -- Possible downref: Non-RFC (?) normative reference: ref. 'IPX' ** Obsolete normative reference: RFC 2338 (ref. 'OSPF') (Obsoleted by RFC 3768) ** Downref: Normative reference to an Historic RFC: RFC 1469 -- Possible downref: Non-RFC (?) normative reference: ref. 'TKARCH' Summary: 10 errors (**), 0 flaws (~~), 7 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 INTERNET-DRAFT S. Knight 2 June 17, 1999 D. Weaver 3 Ascend Communications, Inc. 4 D. Whipple 5 Microsoft, Inc. 6 R. Hinden 7 D. Mitzel 8 P. Hunt 9 Nokia 10 P. Higginson 11 M. Shand 12 Digital Equipment Corp. 13 A. Lindem 14 IBM Corporation 16 Virtual Router Redundancy Protocol 18 20 Status of this Memo 22 This document is an Internet-Draft and is in full conformance with 23 all provisions of Section 10 of [RFC2026]. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF), its areas, and its working groups. Note that 27 other groups may also distribute working documents as Internet- 28 Drafts. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 The list of current Internet-Drafts can be accessed at 36 http://www.ietf.org/ietf/1id-abstracts.txt 38 The list of Internet-Draft Shadow Directories can be accessed at 39 http://www.ietf.org/shadow.html. 41 This internet draft expires on December 17, 1999. 43 Abstract 45 This memo defines the Virtual Router Redundancy Protocol (VRRP). 46 VRRP specifies an election protocol that dynamically assigns 47 responsibility for a virtual router to one of the VRRP routers on a 48 LAN. The VRRP router controlling the IP address(es) associated with 49 a virtual router is called the Master, and forwards packets sent to 50 these IP addresses. The election process provides dynamic fail over 51 in the forwarding responsibility should the Master become 52 unavailable. This allows any of the virtual router IP addresses on 53 the LAN to be used as the default first hop router by end-hosts. The 54 advantage gained from using VRRP is a higher availability default 55 path without requiring configuration of dynamic routing or router 56 discovery protocols on every end-host. 58 Table of Contents 60 1. Introduction...............................................3 61 2. Required Features..........................................5 62 3. VRRP Overview..............................................7 63 4. Sample Configurations......................................8 64 5. Protocol..................................................11 65 5.1 VRRP Packet Format....................................11 66 5.2 IP Field Descriptions.................................11 67 5.3 VRRP Field Descriptions...............................12 68 6. Protocol State Machine....................................15 69 6.1 Parameters per Virtual Router.........................15 70 6.2 Timers................................................16 71 6.3 State Transition Diagram..............................16 72 6.4 State Descriptions....................................16 73 7. Sending and Receiving VRRP Packets........................20 74 7.1 Receiving VRRP Packets................................20 75 7.2 Transmitting Packets..................................20 76 7.3 Virtual MAC Address...................................21 77 8. Operational Issues........................................22 78 8.1 ICMP Redirects........................................22 79 8.2 Host ARP Requests.....................................22 80 8.3 Proxy ARP.............................................22 81 8.4 Potential Forwarding Loop.............................23 82 9. Operation over FDDI, Token Ring, and ATM LANE.............23 83 9.1 Operation over FDDI...................................23 84 9.2 Operation over Token Ring.............................23 85 9.3 Operation over ATM LANE...............................25 86 10. Security Considerations...................................26 87 10.1 No Authentication....................................26 88 10.2 Simple Text Password.................................26 89 10.3 IP Authentication Header.............................27 90 11. Acknowledgments...........................................28 91 12. References................................................28 92 13. Authors' Addresses........................................29 93 14. Changes from RFC2338......................................31 95 1. Introduction 97 There are a number of methods that an end-host can use to determine 98 its first hop router towards a particular IP destination. These 99 include running (or snooping) a dynamic routing protocol such as 100 Routing Information Protocol [RIP] or OSPF version 2 [OSPF], running 101 an ICMP router discovery client [DISC] or using a statically 102 configured default route. 104 Running a dynamic routing protocol on every end-host may be 105 infeasible for a number of reasons, including administrative 106 overhead, processing overhead, security issues, or lack of a protocol 107 implementation for some platforms. Neighbor or router discovery 108 protocols may require active participation by all hosts on a network, 109 leading to large timer values to reduce protocol overhead in the face 110 of large numbers of hosts. This can result in a significant delay in 111 the detection of a lost (i.e., dead) neighbor, that may introduce 112 unacceptably long "black hole" periods. 114 The use of a statically configured default route is quite popular; it 115 minimizes configuration and processing overhead on the end-host and 116 is supported by virtually every IP implementation. This mode of 117 operation is likely to persist as dynamic host configuration 118 protocols [DHCP] are deployed, which typically provide configuration 119 for an end-host IP address and default gateway. However, this 120 creates a single point of failure. Loss of the default router 121 results in a catastrophic event, isolating all end-hosts that are 122 unable to detect any alternate path that may be available. 124 The Virtual Router Redundancy Protocol (VRRP) is designed to 125 eliminate the single point of failure inherent in the static default 126 routed environment. VRRP specifies an election protocol that 127 dynamically assigns responsibility for a virtual router to one of the 128 VRRP routers on a LAN. The VRRP router controlling the IP 129 address(es) associated with a virtual router is called the Master, 130 and forwards packets sent to these IP addresses. The election 131 process provides dynamic fail-over in the forwarding responsibility 132 should the Master become unavailable. Any of the virtual router's IP 133 addresses on a LAN can then be used as the default first hop router 134 by end-hosts. The advantage gained from using VRRP is a higher 135 availability default path without requiring configuration of dynamic 136 routing or router discovery protocols on every end-host. 138 VRRP provides a function similar to a Cisco Systems, Inc. proprietary 139 protocol named Hot Standby Router Protocol (HSRP) [HSRP] and to a 140 Digital Equipment Corporation, Inc. proprietary protocol named IP 141 Standby Protocol [IPSTB]. 143 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 144 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 145 document are to be interpreted as described in [RFC 2119]. 147 The IESG/IETF take no position regarding the validity or scope of any 148 intellectual property right or other rights that might be claimed to 149 pertain to the implementation or use of the technology, or the extent 150 to which any license under such rights might or might not be 151 available. See the IETF IPR web page at http://www.ietf.org/ipr.html 152 for additional information. 154 1.1 Scope 156 The remainder of this document describes the features, design goals, 157 and theory of operation of VRRP. The message formats, protocol 158 processing rules and state machine that guarantee convergence to a 159 single Virtual Router Master are presented. Finally, operational 160 issues related to MAC address mapping, handling of ARP requests, 161 generation of ICMP redirect messages, and security issues are 162 addressed. 164 This protocol is intended for use with IPv4 routers only. A separate 165 specification will be produced if it is decided that similar 166 functionality is desirable in an IPv6 environment. 168 1.2 Definitions 170 VRRP Router A router running the Virtual Router Redundancy 171 Protocol. It may participate in one or more 172 virtual routers. 174 Virtual Router An abstract object managed by VRRP that acts 175 as a default router for hosts on a shared LAN. 176 It consists of a Virtual Router Identifier and 177 a set of associated IP address(es) across a 178 common LAN. A VRRP Router may backup one or 179 more virtual routers. 181 IP Address Owner The VRRP router that has the virtual router's 182 IP address(es) as real interface address(es). 183 This is the router that, when up, will respond 184 to packets addressed to one of these IP 185 addresses for ICMP pings, TCP connections, 186 etc. 188 Primary IP Address An IP address selected from the set of real 189 interface addresses. One possible selection 190 algorithm is to always select the first 191 address. VRRP advertisements are always sent 192 using the primary IP address as the source of 193 the IP packet. 195 Virtual Router Master The VRRP router that is assuming the 196 responsibility of forwarding packets sent to 197 the IP address(es) associated with the virtual 198 router, and answering ARP requests for these 199 IP addresses. Note that if the IP address 200 owner is available, then it will always become 201 the Master. 203 Virtual Router Backup The set of VRRP routers available to assume 204 forwarding responsibility for a virtual router 205 should the current Master fail. 207 2.0 Required Features 209 This section outlines the set of features that were considered 210 mandatory and that guided the design of VRRP. 212 2.1 IP Address Backup 214 Backup of IP addresses is the primary function of the Virtual Router 215 Redundancy Protocol. While providing election of a Virtual Router 216 Master and the additional functionality described below, the protocol 217 should strive to: 219 - Minimize the duration of black holes. 220 - Minimize the steady state bandwidth overhead and processing 221 complexity. 222 - Function over a wide variety of multiaccess LAN technologies 223 capable of supporting IP traffic. 224 - Provide for election of multiple virtual routers on a network for 225 load balancing 226 - Support of multiple logical IP subnets on a single LAN segment. 228 2.2 Preferred Path Indication 230 A simple model of Master election among a set of redundant routers is 231 to treat each router with equal preference and claim victory after 232 converging to any router as Master. However, there are likely to be 233 many environments where there is a distinct preference (or range of 234 preferences) among the set of redundant routers. For example, this 235 preference may be based upon access link cost or speed, router 236 performance or reliability, or other policy considerations. The 237 protocol should allow the expression of this relative path preference 238 in an intuitive manner, and guarantee Master convergence to the most 239 preferential router currently available. 241 2.3 Minimization of Unnecessary Service Disruptions 243 Once Master election has been performed then any unnecessary 244 transitions between Master and Backup routers can result in a 245 disruption in service. The protocol should ensure after Master 246 election that no state transition is triggered by any Backup router 247 of equal or lower preference as long as the Master continues to 248 function properly. 250 Some environments may find it beneficial to avoid the state 251 transition triggered when a router becomes available that is more 252 preferential than the current Master. It may be useful to support an 253 override of the immediate convergence to the preferred path. 255 2.4 Extensible Security 257 The virtual router functionality is applicable to a wide range of 258 internetworking environments that may employ different security 259 policies. The protocol should require minimal configuration and 260 overhead in the insecure operation, provide for strong authentication 261 when increased security is required, and allow integration of new 262 security mechanisms without breaking backwards compatible operation. 264 2.5 Efficient Operation over Extended LANs 266 Sending IP packets on a multiaccess LAN requires mapping from an IP 267 address to a MAC address. The use of the virtual router MAC address 268 in an extended LAN employing learning bridges can have a significant 269 effect on the bandwidth overhead of packets sent to the virtual 270 router. If the virtual router MAC address is never used as the 271 source address in a link level frame then the station location is 272 never learned, resulting in flooding of all packets sent to the 273 virtual router. To improve the efficiency in this environment the 274 protocol should: 1) use the virtual router MAC as the source in a 275 packet sent by the Master to trigger station learning; 2) trigger a 276 message immediately after transitioning to Master to update the 277 station learning; and 3) trigger periodic messages from the Master to 278 maintain the station learning cache. 280 3.0 VRRP Overview 282 VRRP specifies an election protocol to provide the virtual router 283 function described earlier. All protocol messaging is performed 284 using IP multicast datagrams, thus the protocol can operate over a 285 variety of multiaccess LAN technologies supporting IP multicast. 286 Each VRRP virtual router has a single well-known MAC address 287 allocated to it. This document currently only details the mapping to 288 networks using the IEEE 802 48-bit MAC address. The virtual router 289 MAC address is used as the source in all periodic VRRP messages sent 290 by the Master router to enable bridge learning in an extended LAN. 292 A virtual router is defined by its virtual router identifier (VRID) 293 and a set of IP addresses. A VRRP router may associate a virtual 294 router with its real addresses on an interface, and may also be 295 configured with additional virtual router mappings and priority for 296 virtual routers it is willing to backup. The mapping between VRID 297 and addresses must be coordinated among all VRRP routers on a LAN. 298 However, there is no restriction against reusing a VRID with a 299 different address mapping on different LANs. The scope of each 300 virtual router is restricted to a single LAN. 302 To minimize network traffic, only the Master for each virtual router 303 sends periodic VRRP Advertisement messages. A Backup router will not 304 attempt to pre-empt the Master unless it has higher priority. This 305 eliminates service disruption unless a more preferred path becomes 306 available. It's also possible to administratively prohibit all pre- 307 emption attempts. The only exception is that a VRRP router will 308 always become Master of any virtual router associated with addresses 309 it owns. If the Master becomes unavailable then the highest priority 310 Backup will transition to Master after a short delay, providing a 311 controlled transition of the virtual router responsibility with 312 minimal service interruption. 314 VRRP defines three types of authentication providing simple 315 deployment in insecure environments, added protection against 316 misconfiguration, and strong sender authentication in security 317 conscious environments. Analysis of the protection provided and 318 vulnerability of each mechanism is deferred to Section 10.0 Security 319 Considerations. In addition new authentication types and data can be 320 defined in the future without affecting the format of the fixed 321 portion of the protocol packet, thus preserving backward compatible 322 operation. 324 The VRRP protocol design provides rapid transition from Backup to 325 Master to minimize service interruption, and incorporates 326 optimizations that reduce protocol complexity while guaranteeing 327 controlled Master transition for typical operational scenarios. The 328 optimizations result in an election protocol with minimal runtime 329 state requirements, minimal active protocol states, and a single 330 message type and sender. The typical operational scenarios are 331 defined to be two redundant routers and/or distinct path preferences 332 among each router. A side effect when these assumptions are violated 333 (i.e., more than two redundant paths all with equal preference) is 334 that duplicate packets may be forwarded for a brief period during 335 Master election. However, the typical scenario assumptions are 336 likely to cover the vast majority of deployments, loss of the Master 337 router is infrequent, and the expected duration in Master election 338 convergence is quite small ( << 1 second ). Thus the VRRP 339 optimizations represent significant simplifications in the protocol 340 design while incurring an insignificant probability of brief network 341 degradation. 343 4. Sample Configurations 345 4.1 Sample Configuration 1 347 The following figure shows a simple network with two VRRP routers 348 implementing one virtual router. Note that this example is provided 349 to help understand the protocol, but is not expected to occur in 350 actual practice. 352 +-----------+ +-----------+ 353 | Rtr1 | | Rtr2 | 354 |(MR VRID=1)| |(BR VRID=1)| 355 | | | | 356 VRID=1 +-----------+ +-----------+ 357 IP A ---------->* *<--------- IP B 358 | | 359 | | 360 ------------------+------------+-----+--------+--------+--------+-- 361 ^ ^ ^ ^ 362 | | | | 363 (IP A) (IP A) (IP A) (IP A) 364 | | | | 365 +--+--+ +--+--+ +--+--+ +--+--+ 366 | H1 | | H2 | | H3 | | H4 | 367 +-----+ +-----+ +--+--+ +--+--+ 368 Legend: 369 ---+---+---+-- = Ethernet, Token Ring, or FDDI 370 H = Host computer 371 MR = Master Router 372 BR = Backup Router 373 * = IP Address 374 (IP) = default router for hosts 376 Eliminating all mention of VRRP (VRID=1) from the figure above leaves 377 it as a typical IP deployment. Each router is permanently assigned 378 an IP address on the LAN interface (Rtr1 is assigned IP A and Rtr2 is 379 assigned IP B), and each host installs a static default route through 380 one of the routers (in this example they all use Rtr1's IP A). 382 Moving to the VRRP environment, each router has the exact same 383 permanently assigned IP address. Rtr1 is said to be the IP address 384 owner of IP A, and Rtr2 is the IP address owner of IP B. A virtual 385 router is then defined by associating a unique identifier (the 386 virtual router ID) with the address owned by a router. Finally, the 387 VRRP protocol manages virtual router failover to a backup router. 389 The example above shows a virtual router configured to cover the IP 390 address owned by Rtr1 (VRID=1,IP_Address=A). When VRRP is enabled on 391 Rtr1 for VRID=1 it will assert itself as Master, with priority=255, 392 since it is the IP address owner for the virtual router IP address. 393 When VRRP is enabled on Rtr2 for VRID=1 it will transition to Backup, 394 with priority=100, since it is not the IP address owner. If Rtr1 395 should fail then the VRRP protocol will transition Rtr2 to Master, 396 temporarily taking over forwarding responsibility for IP A to provide 397 uninterrupted service to the hosts. 399 Note that in this example IP B is not backed up, it is only used by 400 Rtr2 as its interface address. In order to backup IP B, a second 401 virtual router must be configured. This is shown in the next 402 section. 404 4.2 Sample Configuration 2 406 The following figure shows a configuration with two virtual routers 407 with the hosts spitting their traffic between them. This example is 408 expected to be very common in actual practice. 410 +-----------+ +-----------+ 411 | Rtr1 | | Rtr2 | 412 |(MR VRID=1)| |(BR VRID=1)| 413 |(BR VRID=2)| |(MR VRID=2)| 414 VRID=1 +-----------+ +-----------+ VRID=2 415 IP A ---------->* *<---------- IP B 416 | | 417 | | 418 ------------------+------------+-----+--------+--------+--------+-- 419 ^ ^ ^ ^ 420 | | | | 421 (IP A) (IP A) (IP B) (IP B) 422 | | | | 423 +--+--+ +--+--+ +--+--+ +--+--+ 424 | H1 | | H2 | | H3 | | H4 | 425 +-----+ +-----+ +--+--+ +--+--+ 426 Legend: 427 ---+---+---+-- = Ethernet, Token Ring, or FDDI 428 H = Host computer 429 MR = Master Router 430 BR = Backup Router 431 * = IP Address 432 (IP) = default router for hosts 434 In the example above, half of the hosts have configured a static 435 route through Rtr1's IP A and half are using Rtr2's IP B. The 436 configuration of virtual router VRID=1 is exactly the same as in the 437 first example (see section 4.1), and a second virtual router has been 438 added to cover the IP address owned by Rtr2 (VRID=2, IP_Address=B). 439 In this case Rtr2 will assert itself as Master for VRID=2 while Rtr1 440 will act as a backup. This scenario demonstrates a deployment 441 providing load splitting when both routers are available while 442 providing full redundancy for robustness. 444 5.0 Protocol 446 The purpose of the VRRP packet is to communicate to all VRRP routers 447 the priority and the state of the Master router associated with the 448 Virtual Router ID. 450 VRRP packets are sent encapsulated in IP packets. They are sent to 451 the IPv4 multicast address assigned to VRRP. 453 5.1 VRRP Packet Format 455 This section defines the format of the VRRP packet and the relevant 456 fields in the IP header. 458 0 1 2 3 459 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 460 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 461 |Version| Type | Virtual Rtr ID| Priority | Count IP Addrs| 462 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 463 | Auth Type | Adver Int | Checksum | 464 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 465 | IP Address (1) | 466 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 467 | . | 468 | . | 469 | . | 470 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 471 | IP Address (n) | 472 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 473 | Authentication Data (1) | 474 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 475 | Authentication Data (2) | 476 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 478 5.2 IP Field Descriptions 480 5.2.1 Source Address 482 The primary IP address of the interface the packet is being sent 483 from. 485 5.2.2 Destination Address 487 The IP multicast address as assigned by the IANA for VRRP is: 489 224.0.0.18 491 This is a link local scope multicast address. Routers MUST NOT 492 forward a datagram with this destination address regardless of its 493 TTL. 495 5.2.3 TTL 497 The TTL MUST be set to 255. A VRRP router receiving a packet with 498 the TTL not equal to 255 MUST discard the packet. 500 5.2.4 Protocol 502 The IP protocol number assigned by the IANA for VRRP is 112 503 (decimal). 505 5.3 VRRP Field Descriptions 507 5.3.1 Version 509 The version field specifies the VRRP protocol version of this packet. 510 This document defines version 2. 512 5.3.2 Type 514 The type field specifies the type of this VRRP packet. The only 515 packet type defined in this version of the protocol is: 517 1 ADVERTISEMENT 519 A packet with unknown type MUST be discarded. 521 5.3.3 Virtual Rtr ID (VRID) 523 The Virtual Router Identifier (VRID) field identifies the virtual 524 router this packet is reporting status for. 526 5.3.4 Priority 528 The priority field specifies the sending VRRP router's priority for 529 the virtual router. Higher values equal higher priority. This field 530 is an 8 bit unsigned integer field. 532 The priority value for the VRRP router that owns the IP address(es) 533 associated with the virtual router MUST be 255 (decimal). 535 VRRP routers backing up a virtual router MUST use priority values 536 between 1-254 (decimal). The default priority value for VRRP routers 537 backing up a virtual router is 100 (decimal). 539 The priority value zero (0) has special meaning indicating that the 540 current Master has stopped participating in VRRP. This is used to 541 trigger Backup routers to quickly transition to Master without having 542 to wait for the current Master to timeout. 544 5.3.5 Count IP Addrs 546 The number of IP addresses contained in this VRRP advertisement. 548 5.3.6 Authentication Type 550 The authentication type field identifies the authentication method 551 being utilized. Authentication type is unique on a Virtual Router 552 basis. The authentication type field is an 8 bit unsigned integer. 553 A packet with unknown authentication type or that does not match the 554 locally configured authentication method MUST be discarded. 556 The authentication methods currently defined are: 558 0 - No Authentication 559 1 - Simple Text Password 560 2 - IP Authentication Header 562 5.3.6.1 No Authentication 564 The use of this authentication type means that VRRP protocol 565 exchanges are not authenticated. The contents of the Authentication 566 Data field should be set to zero on transmission and ignored on 567 reception. 569 5.3.6.2 Simple Text Password 571 The use of this authentication type means that VRRP protocol 572 exchanges are authenticated by a clear text password. The contents 573 of the Authentication Data field should be set to the locally 574 configured password on transmission. There is no default password. 575 The receiver MUST check that the Authentication Data in the packet 576 matches its configured authentication string. Packets that do not 577 match MUST be discarded. 579 Note that there are security implications to using Simple Text 580 password authentication, and one should see the Security 581 Consideration section of this document. 583 5.3.6.3 IP Authentication Header 585 The use of this authentication type means the VRRP protocol exchanges 586 are authenticated using the mechanisms defined by the IP 587 Authentication Header [AUTH] using "The Use of HMAC-MD5-96 within ESP 588 and AH" [HMAC]. Keys may be either configured manually or via a key 589 distribution protocol. 591 If a packet is received that does not pass the authentication check 592 due to a missing authentication header or incorrect message digest, 593 then the packet MUST be discarded. The contents of the 594 Authentication Data field should be set to zero on transmission and 595 ignored on reception. 597 5.3.7 Advertisement Interval (Adver Int) 599 The Advertisement interval indicates the time interval (in seconds) 600 between ADVERTISEMENTS. The default is 1 second. This field is used 601 for troubleshooting misconfigured routers. 603 5.3.8 Checksum 605 The checksum field is used to detect data corruption in the VRRP 606 message. 608 The checksum is the 16-bit one's complement of the one's complement 609 sum of the entire VRRP message starting with the version field. For 610 computing the checksum, the checksum field is set to zero. See 611 RFC1071 for more detail [CKSM]. 613 5.3.9 IP Address(es) 615 One or more IP addresses that are associated with the virtual router. 616 The number of addresses included is specified in the "Count IP Addrs" 617 field. These fields are used for troubleshooting misconfigured 618 routers. 620 5.3.10 Authentication Data 622 The authentication string is currently only utilized for simple text 623 authentication, similar to the simple text authentication found in 624 the Open Shortest Path First routing protocol [OSPF]. It is up to 8 625 characters of plain text. If the configured authentication string is 626 shorter than 8 bytes, the remaining space MUST be zero-filled. Any 627 VRRP packet received with an authentication string that does not 628 match the locally configured authentication string MUST be discarded. 629 The authentication string is unique on a per interface basis. 631 There is no default value for this field. 633 6. Protocol State Machine 635 6.1 Parameters per Virtual Router 637 VRID Virtual Router Identifier. Configured item 638 in the range 1-255 (decimal). There is no 639 default. 641 Priority Priority value to be used by this VRRP 642 router in Master election for this virtual 643 router. The value of 255 (decimal) is 644 reserved for the router that owns the IP 645 addresses associated with the virtual 646 router. The value of 0 (zero) is reserved 647 for Master router to indicate it is 648 releasing responsibility for the virtual 649 router. The range 1-254 (decimal) is 650 available for VRRP routers backing up the 651 virtual router. The default value is 100 652 (decimal). 654 IP_Addresses One or more IP addresses associated with 655 this virtual router. Configured item. No 656 default. 658 Advertisement_Interval Time interval between ADVERTISEMENTS 659 (seconds). Default is 1 second. 661 Skew_Time Time to skew Master_Down_Interval in 662 seconds. Calculated as: 664 ( (256 - Priority) / 256 ) 666 Master_Down_Interval Time interval for Backup to declare Master 667 down (seconds). Calculated as: 669 (3 * Advertisement_Interval) + Skew_time 671 Preempt_Mode Controls whether a higher priority Backup 672 router preempts a lower priority Master. 673 Values are True to allow preemption and 674 False to prohibit preemption. Default is 675 True. 677 Note: Exception is that the router that owns 678 the IP address(es) associated with the 679 virtual router always pre-empts independent 680 of the setting of this flag. 682 Authentication_Type Type of authentication being used. Values 683 are defined in section 5.3.6. 685 Authentication_Data Authentication data specific to the 686 Authentication_Type being used. 688 6.2 Timers 690 Master_Down_Timer Timer that fires when ADVERTISEMENT has not 691 been heard for Master_Down_Interval. 693 Adver_Timer Timer that fires to trigger sending of 694 ADVERTISEMENT based on 695 Advertisement_Interval. 697 6.3 State Transition Diagram 699 +---------------+ 700 +--------->| |<-------------+ 701 | | Initialize | | 702 | +------| |----------+ | 703 | | +---------------+ | | 704 | | | | 705 | V V | 706 +---------------+ +---------------+ 707 | |---------------------->| | 708 | Master | | Backup | 709 | |<----------------------| | 710 +---------------+ +---------------+ 712 6.4 State Descriptions 714 In the state descriptions below, the state names are identified by 715 {state-name}, and the packets are identified by all upper case 716 characters. 718 A VRRP router implements an instance of the state machine for each 719 virtual router election it is participating in. 721 6.4.1 Initialize 723 The purpose of this state is to wait for a Startup event. If a 724 Startup event is received, then: 726 - If the Priority = 255 (i.e., the router owns the IP address(es) 727 associated with the virtual router) 729 o Send an ADVERTISEMENT 730 o Broadcast a gratuitous ARP request containing the virtual 731 router MAC address for each IP address associated with the 732 virtual router. 733 o Set the Adver_Timer to Advertisement_Interval 734 o Transition to the {Master} state 736 else 738 o Set the Master_Down_Timer to Master_Down_Interval 739 o Transition to the {Backup} state 741 endif 743 6.4.2 Backup 745 The purpose of the {Backup} state is to monitor the availability and 746 state of the Master Router. 748 While in this state, a VRRP router MUST do the following: 750 - MUST NOT respond to ARP requests for the IP address(s) associated 751 with the virtual router. 753 - MUST discard packets with a destination link layer MAC address 754 equal to the virtual router MAC address. 756 - MUST NOT accept packets addressed to the IP address(es) associated 757 with the virtual router. 759 - If a Shutdown event is received, then: 761 o Cancel the Master_Down_Timer 762 o Transition to the {Initialize} state 764 endif 766 - If the Master_Down_Timer fires, then: 768 o Send an ADVERTISEMENT 769 o Broadcast a gratuitous ARP request containing the virtual 770 router MAC address for each IP address associated with the 771 virtual router 772 o Set the Adver_Timer to Advertisement_Interval 773 o Transition to the {Master} state 775 endif 777 - If an ADVERTISEMENT is received, then: 779 If the Priority in the ADVERTISEMENT is Zero, then: 781 o Set the Master_Down_Timer to Skew_Time 783 else: 785 If Preempt_Mode is False, or If the Priority in the 786 ADVERTISEMENT is greater than or equal to the local 787 Priority, then: 789 o Reset the Master_Down_Timer to Master_Down_Interval 791 else: 793 o Discard the ADVERTISEMENT 795 endif 796 endif 797 endif 799 6.4.3 Master 801 While in the {Master} state the router functions as the forwarding 802 router for the IP address(es) associated with the virtual router. 804 While in this state, a VRRP router MUST do the following: 806 - MUST respond to ARP requests for the IP address(es) associated 807 with the virtual router. 809 - MUST forward packets with a destination link layer MAC address 810 equal to the virtual router MAC address. 812 - MUST NOT accept packets addressed to the IP address(es) associated 813 with the virtual router if it is not the IP address owner. 815 - MUST accept packets addressed to the IP address(es) associated 816 with the virtual router if it is the IP address owner. 818 - If a Shutdown event is received, then: 820 o Cancel the Adver_Timer 821 o Send an ADVERTISEMENT with Priority = 0 822 o Transition to the {Initialize} state 824 endif 826 - If the Adver_Timer fires, then: 828 o Send an ADVERTISEMENT 829 o Reset the Adver_Timer to Advertisement_Interval 831 endif 833 - If an ADVERTISEMENT is received, then: 835 If the Priority in the ADVERTISEMENT is Zero, then: 837 o Send an ADVERTISEMENT 838 o Reset the Adver_Timer to Advertisement_Interval 840 else: 842 If the Priority in the ADVERTISEMENT is greater than the 843 local Priority, 844 or 845 If the Priority in the ADVERTISEMENT is equal to the local 846 Priority and the primary IP Address of the sender is greater 847 than the local primary IP Address, then: 849 o Cancel Adver_Timer 850 o Set Master_Down_Timer to Master_Down_Interval 851 o Transition to the {Backup} state 853 else: 855 o Discard ADVERTISEMENT 857 endif 858 endif 859 endif 861 7. Sending and Receiving VRRP Packets 863 7.1 Receiving VRRP Packets 865 Performed the following functions when a VRRP packet is received: 867 - MUST verify that the IP TTL is 255. 868 - MUST verify the VRRP version is 2 869 - MUST verify that the received packet contains the complete VRRP 870 packet (including fixed fields, IP Address(es), and 871 Authentication Data). 872 - MUST verify the VRRP checksum 873 - MUST verify that the VRID is configured on the receiving 874 interface and the local router is not the IP Address owner 875 (Priority equals 255 (decimal)). 876 - MUST verify that the Auth Type matches the locally configured 877 authentication method for the virtual router and perform that 878 authentication method 880 If any one of the above checks fails, the receiver MUST discard the 881 packet, SHOULD log the event and MAY indicate via network management 882 that an error occurred. 884 - MAY verify that "Count IP Addrs" and the list of IP Address 885 matches the IP_Addresses configured for the VRID 887 If the above check fails, the receiver SHOULD log the event and MAY 888 indicate via network management that a misconfiguration was detected. 889 If the packet was not generated by the address owner (Priority does 890 not equal 255 (decimal)), the receiver MUST drop the packet, 891 otherwise continue processing. 893 - MUST verify that the Adver Interval in the packet is the same as 894 the locally configured for this virtual router 896 If the above check fails, the receiver MUST discard the packet, 897 SHOULD log the event and MAY indicate via network management that a 898 misconfiguration was detected. 900 7.2 Transmitting VRRP Packets 902 The following operations MUST be performed when transmitting a VRRP 903 packet. 905 - Fill in the VRRP packet fields with the appropriate virtual 906 router configuration state 907 - Compute the VRRP checksum 908 - Set the source MAC address to Virtual Router MAC Address 909 - Set the source IP address to interface primary IP address 910 - Set the IP protocol to VRRP 911 - Send the VRRP packet to the VRRP IP multicast group 913 Note: VRRP packets are transmitted with the virtual router MAC 914 address as the source MAC address to ensure that learning bridges 915 correctly determine the LAN segment the virtual router is attached 916 to. 918 7.3 Virtual Router MAC Address 920 The virtual router MAC address associated with a virtual router is an 921 IEEE 802 MAC Address in the following format: 923 00-00-5E-00-01-{VRID} (in hex in internet standard bit-order) 925 The first three octets are derived from the IANA's OUI. The next two 926 octets (00-01) indicate the address block assigned to the VRRP 927 protocol. {VRID} is the VRRP Virtual Router Identifier. This 928 mapping provides for up to 255 VRRP routers on a network. 930 8. Operational Issues 932 8.1 ICMP Redirects 934 ICMP Redirects may be used normally when VRRP is running between a 935 group of routers. This allows VRRP to be used in environments where 936 the topology is not symmetric. 938 The IP source address of an ICMP redirect should be the address the 939 end host used when making its next hop routing decision. If a VRRP 940 router is acting as Master for virtual router(s) containing addresses 941 it does not own, then it must determine which virtual router the 942 packet was sent to when selecting the redirect source address. One 943 method to deduce the virtual router used is to examine the 944 destination MAC address in the packet that triggered the redirect. 946 It may be useful to disable Redirects for specific cases where VRRP 947 is being used to load share traffic between a number of routers in a 948 symmetric topology. 950 8.2 Host ARP Requests 952 When a host sends an ARP request for one of the virtual router IP 953 addresses, the Master virtual router MUST respond to the ARP request 954 with the virtual MAC address for the virtual router. The Master 955 virtual router MUST NOT respond with its physical MAC address. This 956 allows the client to always use the same MAC address regardless of 957 the current Master router. 959 When a VRRP router restarts or boots, it SHOULD not send any ARP 960 messages with its physical MAC address for the IP address it owns, it 961 should only send ARP messages that include Virtual MAC addresses. 962 This may entail: 964 - When configuring an interface, VRRP routers should broadcast a 965 gratuitous ARP request containing the virtual router MAC address 966 for each IP address on that interface. 968 - At system boot, when initializing interfaces for VRRP operation; 969 delay gratuitous ARP requests and ARP responses until both the IP 970 address and the virtual router MAC address are configured. 972 8.3 Proxy ARP 974 If Proxy ARP is to be used on a VRRP router, then the VRRP router 975 must advertise the Virtual Router MAC address in the Proxy ARP 976 message. Doing otherwise could cause hosts to learn the real MAC 977 address of the VRRP router. 979 8.4 Potential Forwarding Loop 981 A VRRP router SHOULD not forward packets addressed to the IP 982 Address(es) it becomes Master for if it is not the owner. Forwarding 983 these packets would result in unnecessary traffic. Also in the case 984 of LANs that receive packets they transmit (e.g., token ring) this 985 can result in a forwarding loop that is only terminated when the IP 986 TTL expires. 988 One such mechanism for VRRP routers is to add/delete a reject host 989 route for each adopted IP address when transitioning to/from MASTER 990 state. 992 9. Operation over FDDI, Token Ring, and ATM LANE 994 9.1 Operation over FDDI 996 FDDI interfaces remove from the FDDI ring frames that have a source 997 MAC address matching the device's hardware address. Under some 998 conditions, such as router isolations, ring failures, protocol 999 transitions, etc., VRRP may cause there to be more than one Master 1000 router. If a Master router installs the virtual router MAC address 1001 as the hardware address on a FDDI device, then other Masters' 1002 ADVERTISEMENTS will be removed from the ring during the Master 1003 convergence, and convergence will fail. 1005 To avoid this an implementation SHOULD configure the virtual router 1006 MAC address by adding a unicast MAC filter in the FDDI device, rather 1007 than changing its hardware MAC address. This will prevent a Master 1008 router from removing any ADVERTISEMENTS it did not originate. 1010 9.2 Operation over Token Ring 1012 Token ring has several characteristics that make running VRRP 1013 difficult. These include: 1015 - In order to switch to a new master located on a different bridge 1016 token ring segment from the previous master when using source 1017 route bridges, a mechanism is required to update cached source 1018 route information. 1020 - No general multicast mechanism supported across old and new token 1021 ring adapter implementations. While many newer token ring adapters 1022 support group addresses, token ring functional address support is 1023 the only generally available multicast mechanism. Due to the 1024 limited number of token ring functional addresses these may 1025 collide with other usage of the same token ring functional 1026 addresses. 1028 Due to these difficulties, the preferred mode of operation over token 1029 ring will be to use a token ring functional address for the VRID 1030 virtual MAC address. Token ring functional addresses have the two 1031 high order bits in the first MAC address octet set to B'1'. They 1032 range from 03-00-00-00-00-80 to 03-00-02-00-00-00 (canonical format). 1033 However, unlike multicast addresses, there is only one unique 1034 functional address per bit position. The functional addresses 1035 addresses 03-00-00-10-00-00 through 03-00-02-00-00-00 are reserved 1036 by the Token Ring Architecture [TKARCH] for user-defined 1037 applications. However, since there are only 12 user-defined token 1038 ring functional addresses, there may be other non-IP protocols using 1039 the same functional address. Since the Novell IPX [IPX] protocol uses 1040 the 03-00-00-10-00-00 functional address, operation of VRRP over 1041 token ring will avoid use of this functional address. In general, 1042 token ring VRRP users will be responsible for resolution of other 1043 user-defined token ring functional address conflicts. 1045 VRIDs are mapped directly to token ring functional addresses. In 1046 order to decrease the likelihood of functional address conflicts, 1047 allocation will begin with the largest functional address. Most non- 1048 IP protocols use the first or first couple user-defined functional 1049 addresses and it is expected that VRRP users will choose VRIDs 1050 sequentially starting with 1. 1052 VRID Token Ring Functional Address 1053 ---- ----------------------------- 1054 1 03-00-02-00-00-00 1055 2 03-00-04-00-00-00 1056 3 03-00-08-00-00-00 1057 4 03-00-10-00-00-00 1058 5 03-00-20-00-00-00 1059 6 03-00-40-00-00-00 1060 7 03-00-80-00-00-00 1061 8 03-00-00-01-00-00 1062 9 03-00-00-02-00-00 1063 10 03-00-00-04-00-00 1064 11 03-00-00-08-00-00 1066 Or more succinctly, octets 3 and 4 of the functional address are 1067 equal to (0x4000 >> (VRID - 1)) in non-canonical format. 1069 Since a functional address cannot be used used as a MAC level source 1070 address, the real MAC address is used as the MAC source address in 1071 VRRP advertisements. This is not a problem for bridges since packets 1072 addressed to functional addresses will be sent on the spanning-tree 1073 explorer path [802.1D]. 1075 The functional address mode of operation MUST be implemented by 1076 routers supporting VRRP on token ring. 1078 Additionally, routers MAY support unicast mode of operation to take 1079 advantage of newer token ring adapter implementations that support 1080 non-promiscuous reception for multiple unicast MAC addresses and to 1081 avoid both the multicast traffic and usage conflicts associated with 1082 the use of token ring functional addresses. Unicast mode uses the 1083 same mapping of VRIDs to virtual MAC addresses as Ethernet. However, 1084 one important difference exists. ARP request/reply packets contain 1085 the virtual MAC address as the source MAC address. The reason for 1086 this is that some token ring driver implementations keep a cache of 1087 MAC address/source routing information independent of the ARP cache. 1088 Hence, these implementations need have to receive a packet with the 1089 virtual MAC address as the source address in order to transmit to 1090 that MAC address in a source-route bridged network. 1092 Unicast mode on token ring has one limitation that should be 1093 considered. If there are VRID routers on different source-route 1094 bridge segments and there are host implementations that keep their 1095 source-route information in the ARP cache and do not listen to 1096 gratuitous ARPs, these hosts will not update their ARP source-route 1097 information correctly when a switch-over occurs. The only possible 1098 solution is to put all routers with the same VRID on the same source- 1099 bridge segment and use techniques to prevent that bridge segment from 1100 being a single point of failure. These techniques are beyond the 1101 scope this document. 1103 For both the multicast and unicast mode of operation, VRRP 1104 advertisements sent to 224.0.0.18 should be encapsulated as described 1105 in [RFC1469]. 1107 9.3 Operation over ATM LANE 1109 Operation of VRRP over ATM LANE on routers with ATM LANE interfaces 1110 and/or routers behind proxy LEC's are beyond the scope of this 1111 document. 1113 10. Security Considerations 1115 VRRP is designed for a range of internetworking environments that may 1116 employ different security policies. The protocol includes several 1117 authentication methods ranging from no authentication, simple clear 1118 text passwords, and strong authentication using IP Authentication 1119 with MD5 HMAC. The details on each approach including possible 1120 attacks and recommended environments follows. 1122 Independent of any authentication type VRRP includes a mechanism 1123 (setting TTL=255, checking on receipt) that protects against VRRP 1124 packets being injected from another remote network. This limits most 1125 vulnerabilities to local attacks. 1127 10.1 No Authentication 1129 The use of this authentication type means that VRRP protocol 1130 exchanges are not authenticated. This type of authentication SHOULD 1131 only be used in environments were there is minimal security risk and 1132 little chance for configuration errors (e.g., two VRRP routers on a 1133 LAN). 1135 10.2 Simple Text Password 1137 The use of this authentication type means that VRRP protocol 1138 exchanges are authenticated by a simple clear text password. 1140 This type of authentication is useful to protect against accidental 1141 misconfiguration of routers on a LAN. It protects against routers 1142 inadvertently backing up another router. A new router must first be 1143 configured with the correct password before it can run VRRP with 1144 another router. This type of authentication does not protect against 1145 hostile attacks where the password can be learned by a node snooping 1146 VRRP packets on the LAN. The Simple Text Authentication combined 1147 with the TTL check makes it difficult for a VRRP packet to be sent 1148 from another LAN to disrupt VRRP operation. 1150 This type of authentication is RECOMMENDED when there is minimal risk 1151 of nodes on a LAN actively disrupting VRRP operation. If this type 1152 of authentication is used the user should be aware that this clear 1153 text password is sent frequently, and therefore should not be the 1154 same as any security significant password. 1156 10.3 IP Authentication Header 1158 The use of this authentication type means the VRRP protocol exchanges 1159 are authenticated using the mechanisms defined by the IP 1160 Authentication Header [AUTH] using "The Use of HMAC-MD5-96 within ESP 1161 and AH", [HMAC]. This provides strong protection against 1162 configuration errors, replay attacks, and packet 1163 corruption/modification. 1165 This type of authentication is RECOMMENDED when there is limited 1166 control over the administration of nodes on a LAN. While this type 1167 of authentication does protect the operation of VRRP, there are other 1168 types of attacks that may be employed on shared media links (e.g., 1169 generation of bogus ARP replies) that are independent from VRRP and 1170 are not protected. 1172 11. Acknowledgments 1174 The authors would like to thank Glen Zorn, and Michael Lane, Clark 1175 Bremer, Hal Peterson, Tony Li, Barbara Denny, Joel Halpern, Steve 1176 Bellovin, Thomas Narten, Rob Montgomery, and Rob Coltun for their 1177 comments and suggestions. 1179 12. References 1181 [802.1D] International Standard ISO/IEC 10038: 1993, ANSI/IEEE Std 1182 802.1D, 1993 edition. 1184 [AUTH] Kent, S., R. Atkinson, "IP Authentication Header", RFC2402, 1185 November 1998. 1187 [CKSM] Braden, R., D. Borman, C. Partridge, "Computing the 1188 Internet Checksum", RFC1071, September 1988. 1190 [DISC] Deering, S., "ICMP Router Discovery Messages", RFC1256, 1191 September 1991. 1193 [DHCP] Droms, R., "Dynamic Host Configuration Protocol", RFC2131, 1194 March 1997. 1196 [HMAC] Madson, C., R. Glenn, "The Use of HMAC-MD5-96 within ESP 1197 and AH", RFC2403, November 1998. 1199 [HSRP] Li, T., B. Cole, P. Morton, D. Li, "Cisco Hot Standby 1200 Router Protocol (HSRP)", RFC2281, March 1998. 1202 [IPSTB] Higginson, P., M. Shand, "Development of Router Clusters to 1203 Provide Fast Failover in IP Networks", Digital Technical 1204 Journal, Volume 9 Number 3, Winter 1997. 1206 [IPX] Novell Incorporated., "IPX Router Specification", Version 1207 1.10, October 1992. 1209 [OSPF] Moy, J., "OSPF version 2", RFC2338, STD0054, April 1998. 1211 [RIP] Malkin, G., "RIP Version 2", RFC2453, STD0056, November 1212 1998. 1214 [RFC1469] Pusateri, T., "IP Multicast over Token Ring Local Area 1215 Networks", RFC1469, June 1993. 1217 [RFC2026] Bradner, S., "The Internet Standards Process -- Revision 1218 3", RFC2026, BCP00009, October 1996. 1220 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1221 Requirement Levels", RFC2119, BCP0014, March 1997. 1223 [TKARCH] IBM Token-Ring Network, Architecture Reference, Publication 1224 SC30-3374-02, Third Edition, (September, 1989). 1226 13. Author's Addresses 1228 Steven Knight Phone: +1 612 943-8990 1229 Ascend Communications EMail: Steven.Knight@ascend.com 1230 High Performance Network Division 1231 10250 Valley View Road, Suite 113 1232 Eden Prairie, MN USA 55344 1233 USA 1235 Douglas Weaver Phone: +1 612 943-8990 1236 Ascend Communications EMail: Doug.Weaver@ascend.com 1237 High Performance Network Division 1238 10250 Valley View Road, Suite 113 1239 Eden Prairie, MN USA 55344 1240 USA 1242 David Whipple Phone: +1 206 703-3876 1243 Microsoft Corporation EMail: dwhipple@microsoft.com 1244 One Microsoft Way 1245 Redmond, WA 98052-6399 1246 USA 1248 Robert Hinden Phone: +1 650 625-2004 1249 Nokia EMail: hinden@iprg.nokia.com 1250 313 Fairchild Drive 1251 Mountain View, CA 94043 1252 USA 1254 Danny Mitzel Phone: +1 650 625-2037 1255 Nokia EMail: mitzel@iprg.nokia.com 1256 313 Fairchild Drive 1257 Mountain View, CA 94043 1258 USA 1260 Peter Hunt Phone: +1 650 625-2093 1261 Nokia EMail: hunt@iprg.nokia.com 1262 313 Fairchild Drive 1263 Mountain View, CA 94043 1264 USA 1265 P. Higginson Phone: +44 118 920 6293 1266 Digital Equipment Corp. EMail: higginson@mail.dec.com 1267 Digital Park 1268 Imperial Way 1269 Reading 1270 Berkshire 1271 RG2 0TE 1272 UK 1274 M. Shand Phone: +44 118 920 4424 1275 Digital Equipment Corp. EMail: shand@mail.dec.com 1276 Digital Park 1277 Imperial Way 1278 Reading 1279 Berkshire 1280 RG2 0TE 1281 UK 1283 Acee Lindem Phone: 1-919-254-1805 1284 IBM Corporation E-Mail: acee@raleigh.ibm.com 1285 P.O. Box 12195 1286 Research Triangle Park, NC 27709 1287 USA 1289 14. Changes from RFC2338 1291 - Revised the section 4 examples text with a clearer description of 1292 mapping of IP address owner, priorities, etc. 1293 - Clarify the section 7.1 text describing address list validation. 1294 - Corrected text in Preempt_Mode definition. 1295 - Changed authentication to be per Virtual Router instead of per 1296 Interface. 1297 - Added new subsection (9.3) stating that VRRP over ATM LANE is 1298 beyond the scope of this document. 1299 - Clarified text describing received packet length check. 1300 - Clarified text describing received authentication check. 1301 - Clarified text describing VRID verification check. 1302 - Added new subsection (8.4) describing need to not forward packets 1303 for adopted IP addresses. 1304 - Added reference for computing the internet checksum. 1305 - Updated references and author information.