OSPFv3 auth problem

Joakim Tjernlund Joakim.Tjernlund at infinera.com
Tue Mar 16 09:35:20 CET 2021 

On Mon, 2021-03-15 at 20:02 +0100, Joakim Tjernlund wrote:
> On Mon, 2021-03-15 at 17:26 +0100, Joakim Tjernlund wrote:
> > On Mon, 2021-03-15 at 15:59 +0100, Ondrej Zajicek wrote:
> > > On Mon, Mar 15, 2021 at 02:25:18PM +0000, Kenth Eriksson wrote:
> > > > I believe the "options" of the neighbor object is only updated as a
> > > > result of NEIGHBOR_EXSTART. If the authentication is enabled after
> > > > unauthenticated neighbor adjacency, then this does not result in a new
> > > > NEIGHBOR_EXSTART. Thus the options of the neighbor object is stuck 0x113,
> > > > and not the updated to 0x513 (i.e. OPT_AT) resulting in that OSPF packets
> > > > are becoming dropped in procedure ospf_pkt_checkauth3 since auth_present
> > > > is zero.
> > > 
> > > Yes, you are right. If iface is configured to not use auth, adjacency is
> > > established (n->options are set to not include OPT_AT) and then
> > > reconfigured to use auth, adjacency is kept (because Hello packets
> > > are authenticated) but LSUpd and others are ignored (because there
> > > is no OPT_AT flag in n->options).
> > > 
> > > RFC 7166 is vague about updating OPT_AT flag, and basic OSPFv2/v3 RFC
> > > just describing setting n->options from DBDes during NEIGHBOR_EXSTART.
> > > 
> > > > If I manually kick the FSM when authentication is changed  by
> > > > doing ISM_DOWN-> ISM_UP then this works as expected (see pseudo code
> > > > below). I believe there is some logic missing when changing the autype?
> > > > Can this be done in some more fine granular way? 
> > > 
> > > I think that the best solution would be to update OPT_AT flag in
> > > n->options based on received Hello packets. Will make a patch.
> > 
> > Are you thinking something like this?
> > 
> > diff --git a/proto/ospf/hello.c b/proto/ospf/hello.c
> > index d094f934..dc3bc912 100644
> > --- a/proto/ospf/hello.c
> > +++ b/proto/ospf/hello.c
> > @@ -253,6 +253,10 @@ ospf_receive_hello(struct ospf_packet *pkt, struct ospf_iface *ifa,
> >  
> > 
> > 
> > 
> >      neighbors = ps->neighbors;
> >      neigh_count = (plen - sizeof(struct ospf_hello3_packet)) / sizeof(u32);
> > +    if (rcv_options & OPT_AT)
> > +      n->options |= OPT_AT;
> > +    else
> > +      n->options &= ~OPT_AT;
> >    }
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> 
> That did a SEGV on a NULL nbr ...
> Now running this:
> 
> diff --git a/proto/ospf/hello.c b/proto/ospf/hello.c
> index d094f934..e103d2fd 100644
> --- a/proto/ospf/hello.c
> +++ b/proto/ospf/hello.c
> @@ -341,6 +341,11 @@ ospf_receive_hello(struct ospf_packet *pkt, struct ospf_ifa
> ce *ifa,
>    n->bdr = rcv_bdr;
>    n->priority = rcv_priority;
>    n->iface_id = rcv_iface_id;
> +  if (ospf_is_v3(p))
> +    if (rcv_options & OPT_AT)
> +      n->options |= OPT_AT;
> +    else
> +      n->options &= ~OPT_AT;
>  
> 
> 
> 
>    /* Update inactivity timer */
>    ospf_neigh_sm(n, INM_HELLOREC);

Sent a proper patch, let us know what you think.

 Jocke

More information about the Bird-users mailing list