On Thu, 2021-03-11 at 15:06 +0000, Joakim Tjernlund wrote:
On Thu, 2021-03-11 at 15:50 +0100, Ondrej Zajicek wrote:
On Thu, Mar 11, 2021 at 12:35:40PM +0000, Joakim Tjernlund wrote:
We have a ring of routers(5 of them) running unnumbered pppoe links between them. Adding OSPF authentication (auth trailer) works OK. However, removing OSPFv3 on ONE interface causes big problem in some cases, we loose auth in the whole ring and routing is then kaputt for all routers.
We have noted that some PDUs(like LS update) are sent without auth trailer so the receiving nodes complains with "ospfv3_2: Authentication failed for nbr 0.0.139.1 on p1-1-3-1-4 - missing authentication trailer (0)"
OSPFv3 Hello is OK though, it still has its auth trailer.
Hmm, that is strange. There is difference between Hello and LSUpd in OSPFv3 Auth receiver code, but not in sending code. That is essentially:
if (ifa->autype != OSPF_AUTH_CRYPT) return;
... attach auth trailer ...
Any ideas?
LSUpd packets do not contain explicit flag whether they use OSPFv3 auth trailer. Such information is stored in neighbor structure based on received DBDes packet. So 'missing authentication trailer' for LSUpd really means that such neighbor structure says 'no auth'. But that should not happen as that DBDes packet would be rejected.
One idea is that DBDes packets intended for one iface (non-authenticated) were sent to a different iface (authenticated) and they poisoned neighbor structure with 'no auth' info.
You say 'loose auth in the whole ring', i can imagine that it will break adjacent links, but it will really break even non-adjacent links?
Yes, it takes some time(about 30 min) though before the whole ring is gone. All nodes are seeing "missing authentication trailer" msg.
I should mention that a birdc restart/configure(on each node) will correct the problem.