Auth with strict mode

[g-boruzs]

Hi,

Could you reconsider allowing VRRP authentication in strict mode?

The main use case of this feature isn't security, but namespace separation - allowing the same VRID to coexist in different authentication domains. This expands the usable namespace from 255 VRIDs to virtually unlimited in large environments.

Without this, large deployments must either disable strict mode entirely or use complex workarounds to avoid VRID collisions across different services/teams.

Would it be possible to allow auth in strict mode with a documentation note that it's for namespace separation, not security?

Thanks for your consideration and great work on keepalived!

Best regards,
Gergo

[pqarmitage]

Strict mode means strict compliance with the current RFC(s). Allowing authentication is not compliant with the VRRP RFCs for over 20 years, so allowing authentication with strict mode just doesn't make sense.

Using strict mode is just a shorthand for setting a number of other options, so the solution, if you want authentication, is to not set strict mode, and to also set all the other configuration options which are set by strict mode (I can't remember the list of options, but a check of the code should show you fairly quickly what they are.