www.openbsd.org/lyrics.html
We've been working a few years now on our packet filtering software 13 pf and it became time to add failover. We want to be able to set up pf firewalls side by side, and exchange the stateful information between them, so that in case of failure another could take over 'keep state' sessions. However, on both sides of the firewall, it is also necessary to have all the regular hosts not see a network failure. The only reliable way to do this is for both firewall machines to have and use the same IP and MAC addresses. But the only real way to do that is to use multicast protocols. The IETF community proposed work in this direction in the late 90's, however in 1997 Cisco informed them that they believed some of Cisco's patents covered the proposed IETF VRRP (Virtual Router Redundancy Protocol); Reputedly, they were upset that IETF had not simply adopted the flawed HSRP protocol as the standard solution for this problem. Despite this legal pressure, the IETF community forged ahead and published VRRP as a standard even though there was a patent in the space. As free software programmers, we therefore find ourselves in the position that these RAND standards must not be implemented by us, and we must deviate from the standard. We find all this rather Unreasonable and Discriminatory and we *will* design competing protocols. Due to some HSRP flaws fixed by VRRP and for compatibility with the (HSRP-licensed) VRRP implementations of their competitors, Cisco in recent times has largely abandoned HSRP and now relies on VRRP instead -- a protocol designed for and by the community, but for which they claim patent rights. On August 7 2002, after many communications, Robert Barr (Cisco's lawyer) firmly informed the OpenBSD community that Cisco would defend its patents for VRRP implementations -- meaning basically that it was impossible for a free software group to produce a truly free implementation of the IETF standard protocol. Perhaps this is because Cisco and Alcatel are currently engaged in a pair of patent lawsuits; Some IETF working group members took note of our complaints, 17 however an attempt in April 2003 to have the IETF abandon the use of patented technology failed to "reach consensus" in the IETF. A few years ago, the W3C, who designs our web protocols, tried to move to a RAND policy as well (primarily because of pressure from Microsoft and Apple), but the community outrage was so overpowering that they backed down. Some standards groups use this policy, while others avoid it -- the one differentiation being the amount of corporate participation. In the IETF, the pro-RAND agents work for AT&T, Alcatel, IBM, Cisco, Microsoft, and other large companies. Since IETF is an open forum, they can blend in as the populace, and vote just like all others, except against the community. Translation: In failing to "reach consensus", the companies who benefit from RAND won, and the community lost again. Left with little choice, we proceeded to reinvent the wheel or, more correctly, abandon the wheel entirely and go for a "hovercraft". We designed CARP (Common Address Redundancy Protocol) to solve the same problem that these other protocols are designed for, but without the same technological basis as HSRP and VRRP. We read the patent document carefully and ensured that CARP was fundamentally different. We also avoided many of the flaws in HSRP and VRRP (such as an inherent lack of security). And since we are OpenBSD developers, we designed it to use cryptography. The combination of 18 pf, 19 pfsync, and 20 carp has permitted us to build highly redundant firewalls. To date, we have built a few networks that include as many as 4 firewalls, all running random reboot cycles. As long as one firewall is alive in a group, traffic through them moves smoothly and correctly for all of our packet filter functionality. Cisco's low end products are unable to do this reliably, and if they have high end products which can do this, you most certainly cannot afford them. As a final note of course, when we petitioned IANA, the IETF body regulating "official" internet protocol numbers, to give us numbers for CARP and pfsync our request was denied. Apparently we had failed to go through an official standards organization. Consequently we were forced to choose a protocol number which would not conflict with anything else of value, and decided to place CARP at IP protocol 112. We informed IANA of these decisions, but they declined to reply. This ridiculous situation then inspired one of our developers to create this parody of the well-known Monty Python skit and song. Customer: Hello, I would like to buy a CARP license please. Customer: A license for my network redundancy protocol, CARP. Why should I be tied with the epithet looney merely because I wish to protect my redundancy protocol? I've heard tell that Network Associates has a pet algorithm called RSA used in IETF standards, and you wouldn't call them a looney; Geoworks has a claim on WAP, after what their lawyers do to you if you try to implement it. Cisco has two redundant patents, both encumbered, and Cadtrack has a patent on cursor movement! So, if you're calling the large American companies that fork out millions of dollars for the use of XOR a bunch of looneys, I shall have to ask you to step outside! Customer: Look, it allows for bleeding redundancy doesn't it? Cisco's got a patent for the HSRP, and I've got to get a license for me router VRRP. Licenser: There's no such thing as a bloody VRRP license. Licenser: This is a Cisco HSRP patent document with the word "Cisco" crossed out and the word "IETF" written in in crayon. Customer: Robert Barr, the man from the redundancy detector van. Customer: The redundancy detector van from the Monopoly of Cizzz-coeee. The man said that their equipment could pinpoint a failover configuration at 400 yards! And my Cisco router, being such a flappy bat, was a piece of cake. Licenser: So you're replacing your PIX with free software, and yet you want to license it? Customer: Look, if you intend by that utilization of an obscure colloquialism to imply that my sanity is not up to scratch, or indeed to deny the semi-existence of my little half firewall, I shall have to ask you to listen to this! A one zero one one VRRP, philosophically, must ipso facto standard be But standard it needs to be free vis a vis the IETF you see? O P E N B S D CARP is free Is this wretched Cisco-eze let through IETF to mean my firewall must pay legal fees? My firewall just keeps running, see, bisected accidentally, one summer afternoon by me. Piano by Janet Lewis, acoustic guitars by Chantal Vitalis. We provided ideas, wrote papers, and deployed cutting-edge technology; DARPA provided finances and reaped a share of the credit, and the University of Pennsylvania acted as a middle-man. We accepted funding based on the promise that our freedom to operate as we wished was unaffected. To us, freedom is more important than funding -- heck, we were dealing with the evil forces of government, and needed to be careful. A few months prior to this release, DARPA suddenly and without warning decided to withdraw that funding; Many articles in the 26 press followed regarding this sudden manuevre. Apparently this hoopla happened because an OpenBSD-related article in the Canadian newspaper The Globe & Mail had quoted Theo de Raadt making anti-war statements regarding Iraq and the theft of oil. We had lost financial support, but the release of the statement above suddenly made us very happy to be free of any perceived obligation to such crazy people. Since the termination came near natural contract termination (about 4 months remained), less damage than expected was sustained by the project. Sponsors stepped forward and helped us make up the missing funds we needed to run our "Hackathon", and the event proceeded as planned. We even had t-shirts made with "Workstations of Mass Development" artwork for those developers who attended (sorry, they are not for sale). So instead, we are making up an allegory about it, using the tale of Robin Hood. Sir Puffy of Ramsay was a wandrin' Through forests of seaweed all alone He had fo...
|
http://csua.com/feed/