OSPFv3 auth problem

Fri Mar 12 16:39:06 CET 2021

We can see auth trailer on the hellos, the neighborship is established, but still the trace is appearing. Does that mean that the options on the neighbor object are incorrect?

bird> show ospf neighbors ospfv3_2
ospfv3_2:
Router ID       Pri          State      DTime   Interface  Router IP
0.0.139.2         0     Full/PtP        32.725  p1-1-5-1-6 fe80::206:9cff:fe0c:a533
bird>

2021-03-12 16:32:36.564 <AUTH> ospfv3_2: Authentication failed for nbr 0.0.139.2 on p1-1-5-1-6 - missing authentication trailer (0)

/k

-----Original Message-----
From: Bird-users <bird-users-bounces at network.cz> On Behalf Of Joakim Tjernlund
Sent: den 11 mars 2021 16:50
To: santiago at crfreenet.org
Cc: bird-users at network.cz
Subject: Re: OSPFv3 auth problem

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On Thu, 2021-03-11 at 15:06 +0000, Joakim Tjernlund wrote:
> On Thu, 2021-03-11 at 15:50 +0100, Ondrej Zajicek wrote:
> > On Thu, Mar 11, 2021 at 12:35:40PM +0000, Joakim Tjernlund wrote:
> > > We have a ring of routers(5 of them) running unnumbered pppoe links between them. Adding OSPF authentication (auth trailer) works OK.
> > > However, removing OSPFv3 on ONE interface causes big problem in 
> > > some cases, we loose auth in the whole ring and routing is then kaputt for all routers.
> > >
> > > We have noted that some PDUs(like LS update) are sent without auth 
> > > trailer so the receiving nodes complains with "ospfv3_2: Authentication failed for nbr 0.0.139.1 on p1-1-3-1-4 - missing authentication trailer (0)"
> > >
> > > OSPFv3 Hello is OK though, it still has its auth trailer.
> >
> > Hmm, that is strange. There is difference between Hello and LSUpd in
> > OSPFv3 Auth receiver code, but not in sending code. That is essentially:
> >
> >   if (ifa->autype != OSPF_AUTH_CRYPT)
> >     return;
> >
> >   ... attach auth trailer ...
> >
> >
> > > Any ideas?
> >
> > LSUpd packets do not contain explicit flag whether they use OSPFv3 
> > auth trailer. Such information is stored in neighbor structure based 
> > on received DBDes packet. So 'missing authentication trailer' for 
> > LSUpd really means that such neighbor structure says 'no auth'. But 
> > that should not happen as that DBDes packet would be rejected.
> >
> > One idea is that DBDes packets intended for one iface 
> > (non-authenticated) were sent to a different iface (authenticated) 
> > and they poisoned neighbor structure with 'no auth' info.
> >
> > You say 'loose auth in the whole ring', i can imagine that it will 
> > break adjacent links, but it will really break even non-adjacent links?
> >
>
> Yes, it takes some time(about 30 min) though before the whole ring is gone.
> All nodes are seeing "missing authentication trailer" msg.

I should mention that a birdc restart/configure(on each node) will correct the problem.