The hrp checksum enable command enables the function of checking the validity of packets exchanged between the active and standby devices on the heartbeat link.
The undo hrp checksum enable command disables the function of checking the validity of packets exchanged between the active and standby devices on the heartbeat link.
By default, the function of checking the validity of packets exchanged between the active and standby devices on the heartbeat link is enabled.
Application Scenarios
In hot standby networking, two FWs use heartbeat interfaces to send and receive VGMP packets, HRP heartbeat packets, HRP link detection packets, HRP data packets, and consistency check packets (hereinafter referred to as HRP packets) to inform the peer of its configuration and status information. To prevent malicious packet attacks and ensure the complete and correct reception of HRP packets, you can run the hrp checksum enable command to check the validity of HRP packets.
Configuration Impact
After hrp checksum enable is configured, the sender in the two FWs calculates the checksum of an HRP packet to be sent using the verification algorithm set in the hrp checksum encryption-key command during data encapsulation. After receiving the HRP packet, the receiver in the two FWs calculates the checksum based on the verification algorithm set in the hrp checksum encryption-key command, and checks whether the checksum of the HRP packet is the same as that of the sender. If the two values are the same, the HRP packet is received. Otherwise, the HRP packet is denied.
hrp checksum enable and hrp checksum encryption-key support backup. After two FWs are configured in hot standby mode, the hrp checksum enable command needs to be run only on the active device.
Precautions
The hrp checksum enable and hrp checksum encryption-key configurations on the two FWs must be the same. Otherwise, HRP packets will be discarded due to validity check failures.
During the HRP packet checksum calculation, certain CPU resources are occupied, which affects the processing performance of the FW. In addition, a more secure algorithm has a higher impact on performance. If high device performance is required, you can use the default verification algorithm (that is, run the undo hrp checksum encryption-key command) or disable the HRP packet validity check function temporarily. After this function is disabled, the integrity and correctness of the HRP packets exchanged between the active and standby FWs cannot be guaranteed.