OSPFv3 auth problem
Ondrej Zajicek
santiago at crfreenet.org
Thu Mar 11 15:50:53 CET 2021
On Thu, Mar 11, 2021 at 12:35:40PM +0000, Joakim Tjernlund wrote:
> We have a ring of routers(5 of them) running unnumbered pppoe links between them. Adding OSPF authentication (auth trailer) works OK.
> However, removing OSPFv3 on ONE interface causes big problem in some cases, we loose auth in the whole ring
> and routing is then kaputt for all routers.
>
> We have noted that some PDUs(like LS update) are sent without auth trailer so the receiving nodes
> complains with "ospfv3_2: Authentication failed for nbr 0.0.139.1 on p1-1-3-1-4 - missing authentication trailer (0)"
>
> OSPFv3 Hello is OK though, it still has its auth trailer.
Hmm, that is strange. There is difference between Hello and LSUpd in
OSPFv3 Auth receiver code, but not in sending code. That is essentially:
if (ifa->autype != OSPF_AUTH_CRYPT)
return;
... attach auth trailer ...
> Any ideas?
LSUpd packets do not contain explicit flag whether they use OSPFv3 auth
trailer. Such information is stored in neighbor structure based on
received DBDes packet. So 'missing authentication trailer' for LSUpd
really means that such neighbor structure says 'no auth'. But that
should not happen as that DBDes packet would be rejected.
One idea is that DBDes packets intended for one iface (non-authenticated)
were sent to a different iface (authenticated) and they poisoned neighbor
structure with 'no auth' info.
You say 'loose auth in the whole ring', i can imagine that it will break
adjacent links, but it will really break even non-adjacent links?
--
Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
More information about the Bird-users
mailing list