On Thu, Mar 11, 2021 at 12:35:40PM +0000, Joakim Tjernlund wrote:
We have a ring of routers(5 of them) running unnumbered pppoe links between them. Adding OSPF authentication (auth trailer) works OK. However, removing OSPFv3 on ONE interface causes big problem in some cases, we loose auth in the whole ring and routing is then kaputt for all routers.
We have noted that some PDUs(like LS update) are sent without auth trailer so the receiving nodes complains with "ospfv3_2: Authentication failed for nbr 0.0.139.1 on p1-1-3-1-4 - missing authentication trailer (0)"
OSPFv3 Hello is OK though, it still has its auth trailer.
Hmm, that is strange. There is difference between Hello and LSUpd in OSPFv3 Auth receiver code, but not in sending code. That is essentially: if (ifa->autype != OSPF_AUTH_CRYPT) return; ... attach auth trailer ...
Any ideas?
LSUpd packets do not contain explicit flag whether they use OSPFv3 auth trailer. Such information is stored in neighbor structure based on received DBDes packet. So 'missing authentication trailer' for LSUpd really means that such neighbor structure says 'no auth'. But that should not happen as that DBDes packet would be rejected. One idea is that DBDes packets intended for one iface (non-authenticated) were sent to a different iface (authenticated) and they poisoned neighbor structure with 'no auth' info. You say 'loose auth in the whole ring', i can imagine that it will break adjacent links, but it will really break even non-adjacent links? -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."