ok great, thank you for your answer! On Thu, Nov 12, 2015 at 7:01 PM, Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Thu, Nov 12, 2015 at 05:25:18PM +0100, Alexander Velkov wrote:
Hi Ondrej,
thank you for your reply!
When is this branch planned to be integrated to main?
I guess we will release a new version of BIRD containing RIP from rip-new branch during 2015-12 or 2016-01.
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hello, I have some issues with configuring RIP 'authentication'. I connect a bird v1.6.0 running on an ARM machine with a quagga v0.99.23.1 on a 64bit Ubuntu 14.04 machine. *Plaintext* (authentication plaintext): ERROR - bird writes erroneous auth error msg. the two peers connect successfully and exchange routes, but bird writes auth error msg - 'bird: RIP: Authentication failed for 172.16.0.9 on eth0 - wrong password (0)' Maybe, a variable was not correctly set at init ? -- bird.config: ... protocol rip RIP { debug all; interface "eth0" { ... authentication plaintext; password "test"; }; -- bird log: ... Jun 22 15:21:34 AVILA debug bird: RIP: New neighbor 172.16.0.9 on eth0 Jun 22 15:21:34 AVILA err bird: RIP: Authentication failed for 172.16.0.9 on eth0 - wrong password (0) Jun 22 15:21:35 AVILA debug bird: RIP: Interface timer fired for eth0 Jun 22 15:21:35 AVILA debug bird: RIP: Sending triggered updates for eth0 Jun 22 15:21:35 AVILA debug bird: RIP: Sending response via eth0 Jun 22 15:21:35 AVILA debug bird: RIP: Response received from 172.16.0.9 on eth0 Jun 22 15:21:35 AVILA debug bird: RIP > added 10.0.4.0/24 via 172.16.0.9 on eth0 Jun 22 15:21:35 AVILA debug bird: RIP > added [best] 10.10.11.0/24 via 172.16.0.9 on eth0 Jun 22 15:21:35 AVILA info bird: net accepted:10.10.11.0/24 Jun 22 15:21:35 AVILA debug bird: RIP < added 10.10.11.0/24 via 172.16.0.9 on eth0 -- quagga.config: ... ip rip authentication string test -- quagga log: 2016/06/22 17:25:22 RIP: RECV packet from 172.16.0.4 port 520 on eth1 2016/06/22 17:25:22 RIP: RECV RESPONSE version 2 packet size 84 2016/06/22 17:25:22 RIP: family 0xFFFF type 2 auth string: test 2016/06/22 17:25:22 RIP: 10.2.4.1/32 -> 0.0.0.0 family 2 tag 0 metric 1 2016/06/22 17:25:22 RIP: 10.0.4.0/24 -> 0.0.0.0 family 2 tag 0 metric 1 2016/06/22 17:25:22 RIP: 172.16.0.0/24 -> 0.0.0.0 family 2 tag 0 metric 1 2016/06/22 17:25:22 RIP: RIPv2 simple password authentication from 172.16.0.4 2016/06/22 17:25:22 RIP: RIPv2 simple authentication success ... *Cryptographic* (authentication cryptographic): ERROR 1 - peers cannot connect with "id 0". The ripd keychain allows setting 'key 0' but bird does not - error 'Password ID has to be greated than zero.' If I omit setting id parameter (passwords{password "secret"; password 'secret2'; password 'secret 3'}), then the peer authentication is not successful. ERROR 2 - On successful md5 authentication (using different keys), bird writes again false error messages. -- bird.config: ... protocol rip RIP { debug all; interface "eth0" { ... authentication cryptographic; passwords { password "secret" {id 0;}; password "secret2" {id 1;}; password "secret3" {id 2;}; }; }; -- quagga.config: ... key chain kChain1 key 0 key-string secret key 1 key-string secret2 key 2 key-string secret3 interface eth1 ip rip authentication mode md5 ip rip authentication key-chain kChain1 -- quagga log (bird config without setting 'id' param): ... 2016/06/23 11:21:54 RIP: RECV packet from 172.16.0.4 port 520 on eth1 2016/06/23 11:21:54 RIP: RECV RESPONSE version 2 packet size 104 2016/06/23 11:21:54 RIP: family 0xFFFF type 3 (MD5 authentication) 2016/06/23 11:21:54 RIP: RIP-2 packet len 84 Key ID 1 Auth Data len 20 2016/06/23 11:21:54 RIP: Sequence Number 1466674388 2016/06/23 11:21:54 RIP: 10.2.4.1/32 -> 0.0.0.0 family 2 tag 0 metric 1 2016/06/23 11:21:54 RIP: 10.0.4.0/24 -> 0.0.0.0 family 2 tag 0 metric 1 2016/06/23 11:21:54 RIP: 172.16.0.0/24 -> 0.0.0.0 family 2 tag 0 metric 1 2016/06/23 11:21:54 RIP: family 0xFFFF type 1 (MD5 data) 2016/06/23 11:21:54 RIP: MD5: E8F8C8C6B6911BB9D7F4983261C5DC 2016/06/23 11:21:54 RIP: RIPv2 MD5 authentication from 172.16.0.4 2016/06/23 11:21:54 RIP: RIPv2 MD5 authentication failure Best regards, Alexander Velkov On Thu, Nov 12, 2015 at 7:23 PM, Alexander Velkov <alvel85@googlemail.com> wrote:
ok great, thank you for your answer!
On Thu, Nov 12, 2015 at 7:01 PM, Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Thu, Nov 12, 2015 at 05:25:18PM +0100, Alexander Velkov wrote:
Hi Ondrej,
thank you for your reply!
When is this branch planned to be integrated to main?
I guess we will release a new version of BIRD containing RIP from rip-new branch during 2015-12 or 2016-01.
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Thu, Jun 23, 2016 at 11:41:18AM +0200, Alexander Velkov wrote:
Hello,
I have some issues with configuring RIP 'authentication'. I connect a bird v1.6.0 running on an ARM machine with a quagga v0.99.23.1 on a 64bit Ubuntu 14.04 machine.
*Plaintext* (authentication plaintext):
ERROR - bird writes erroneous auth error msg. the two peers connect successfully and exchange routes, but bird writes auth error msg - 'bird: RIP: Authentication failed for 172.16.0.9 on eth0 - wrong password (0)' Maybe, a variable was not correctly set at init ?
Hello It seems to me that quagga sends two packets, first (at 15:21:34, presumably without authentication) was rejected, second (at 15:21:35, presumably with password) was accepted and contains routes. See:
Jun 22 15:21:34 AVILA debug bird: RIP: New neighbor 172.16.0.9 on eth0 Jun 22 15:21:34 AVILA err bird: RIP: Authentication failed for 172.16.0.9 on eth0 - wrong password (0) ... Jun 22 15:21:35 AVILA debug bird: RIP: Response received from 172.16.0.9 on eth0 Jun 22 15:21:35 AVILA debug bird: RIP > added 10.0.4.0/24 via 172.16.0.9 on eth0
Could you verify that, e.g. with tcpdump?
*Cryptographic* (authentication cryptographic):
ERROR 1 - peers cannot connect with "id 0". The ripd keychain allows setting 'key 0' but bird does not - error 'Password ID has to be greated than zero.'
That is true, for some reason BIRD does not allow key id 0 (for both RIP and OSPF crypto authentication) and uses id 1 by default. I will check if there is a reason for that.
If I omit setting id parameter (passwords{password "secret"; password 'secret2'; password 'secret 3'}), then the peer authentication is not successful.
In that case BIRD uses IDs 1,2,3, while Quagga is configured with IDs 0,1,2, therefore keys are not properly matched.
ERROR 2 - On successful md5 authentication (using different keys), bird writes again false error messages.
Probably the same issue like in the first case? -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hello again, Error 1: You are right, it seems that quagga (ripd) really sends two packets when it starts - the first one is unencrypted with metric 16, the others are properly encrypted. tcpdump output on the machine running quagga: # tcpdump -i any port 520 -vvnn tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 15:06:46.408403 IP (tos 0xc0, ttl 1, id 17048, offset 0, flags [DF], proto UDP (17), length 52) 172.16.0.9.520 > 224.0.0.9.520: [bad udp cksum 0x8c54 -> 0x6e69!] RIPv2, Request, length: 24, routes: 1 or less AFI 0, 0.0.0.0/0 , tag 0x0000, metric: 16, next-hop: self 0x0000: 0102 0000 0000 0000 0000 0000 0000 0000 0x0010: 0000 0000 0000 0010 15:06:46.408488 IP (tos 0xc0, ttl 1, id 17049, offset 0, flags [DF], proto UDP (17), length 92) 172.16.0.9.520 > 224.0.0.9.520: [bad udp cksum 0x8c7c -> 0xe9db!] RIPv2, Response, length: 64, routes: 3 or less Simple Text Authentication data: test.... AFI IPv4, 10.0.4.0/24, tag 0x0000, metric: 1, next-hop: self AFI IPv4, 10.10.11.0/24, tag 0x0000, metric: 1, next-hop: self 0x0000: 0202 0000 ffff 0002 5365 6331 3233 2124 0x0010: 2f28 2923 0000 0000 0002 0000 0a00 0400 0x0020: ffff ff00 0000 0000 0000 0001 0002 0000 0x0030: 0a0a 0b00 ffff ff00 0000 0000 0000 0001 15:06:56.328594 IP (tos 0xc0, ttl 1, id 10361, offset 0, flags [none], proto UDP (17), length 112) 172.16.0.4.520 > 224.0.0.9.520: [udp sum ok] RIPv2, Response, length: 84, routes: 4 or less Simple Text Authentication data: test.... AFI IPv4, 10.2.4.1/32, tag 0x0000, metric: 1, next-hop: self AFI IPv4, 10.0.4.0/24, tag 0x0000, metric: 1, next-hop: self AFI IPv4, 172.16.0.0/24, tag 0x0000, metric: 1, next-hop: self 0x0000: 0202 0000 ffff 0002 5365 6331 3233 2124 0x0010: 2f28 2923 0000 0000 0002 0000 0a02 0401 0x0020: ffff ffff 0000 0000 0000 0001 0002 0000 0x0030: 0a00 0400 ffff ff00 0000 0000 0000 0001 0x0040: 0002 0000 ac10 0000 ffff ff00 0000 0000 0x0050: 0000 0001 The same happens if ripd is configured with MD5 authentication. Error 2: Just a notice - in the documentation you find that 'id' format is allowed in the range 0-255. But 0 is not configurable. Thanks, Alexander Velkov On Thu, Jun 23, 2016 at 1:14 PM, Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Thu, Jun 23, 2016 at 11:41:18AM +0200, Alexander Velkov wrote:
Hello,
I have some issues with configuring RIP 'authentication'. I connect a bird v1.6.0 running on an ARM machine with a quagga v0.99.23.1 on a 64bit Ubuntu 14.04 machine.
*Plaintext* (authentication plaintext):
ERROR - bird writes erroneous auth error msg. the two peers connect successfully and exchange routes, but bird writes auth error msg - 'bird: RIP: Authentication failed for 172.16.0.9 on eth0 - wrong password (0)' Maybe, a variable was not correctly set at init ?
Hello
It seems to me that quagga sends two packets, first (at 15:21:34, presumably without authentication) was rejected, second (at 15:21:35, presumably with password) was accepted and contains routes.
See:
Jun 22 15:21:34 AVILA debug bird: RIP: New neighbor 172.16.0.9 on eth0 Jun 22 15:21:34 AVILA err bird: RIP: Authentication failed for 172.16.0.9 on eth0 - wrong password (0) ... Jun 22 15:21:35 AVILA debug bird: RIP: Response received from 172.16.0.9 on eth0 Jun 22 15:21:35 AVILA debug bird: RIP > added 10.0.4.0/24 via 172.16.0.9 on eth0
Could you verify that, e.g. with tcpdump?
*Cryptographic* (authentication cryptographic):
ERROR 1 - peers cannot connect with "id 0". The ripd keychain allows setting 'key 0' but bird does not - error 'Password ID has to be greated than zero.'
That is true, for some reason BIRD does not allow key id 0 (for both RIP and OSPF crypto authentication) and uses id 1 by default. I will check if there is a reason for that.
If I omit setting id parameter (passwords{password "secret"; password 'secret2'; password 'secret 3'}), then the peer authentication is not successful.
In that case BIRD uses IDs 1,2,3, while Quagga is configured with IDs 0,1,2, therefore keys are not properly matched.
ERROR 2 - On successful md5 authentication (using different keys), bird writes again false error messages.
Probably the same issue like in the first case?
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Thu, Jun 23, 2016 at 04:04:48PM +0200, Alexander Velkov wrote:
Hello again,
Error 1:
You are right, it seems that quagga (ripd) really sends two packets when it starts - the first one is unencrypted with metric 16, the others are properly encrypted.
The first one is RIP request, rest are RIP responses. Quagga apparently do not sign RIP requests. They are optional, so it is not a big problem, but AFAIK they should be signed and verified in the same way as RIP requests. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hi Ondrej,
The first one is RIP request, rest are RIP responses. Quagga apparently do not sign RIP requests. They are optional, so it is not a big problem, but AFAIK they should be signed and verified in the same way as RIP requests.
OK. Yes, the whole communication process to be encrypted sounds more adequate. On Tue, Jun 28, 2016 at 12:22 PM, Ondrej Zajicek <santiago@crfreenet.org> wrote:
On Thu, Jun 23, 2016 at 04:04:48PM +0200, Alexander Velkov wrote:
Hello again,
Error 1:
You are right, it seems that quagga (ripd) really sends two packets when it starts - the first one is unencrypted with metric 16, the others are properly encrypted.
The first one is RIP request, rest are RIP responses. Quagga apparently do not sign RIP requests. They are optional, so it is not a big problem, but AFAIK they should be signed and verified in the same way as RIP requests.
-- Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Tue, Jun 28, 2016 at 01:59:05PM +0200, Alexander Velkov wrote:
Hi Ondrej,
The first one is RIP request, rest are RIP responses. Quagga apparently do not sign RIP requests. They are optional, so it is not a big problem, but AFAIK they should be signed and verified in the same way as RIP requests.
This should provide some insights (the paragraphs about RIPv1): http://www.nongnu.org/quagga/docs/docs-multi/RIP-Authentication.html
OK. Yes, the whole communication process to be encrypted sounds more adequate.
I don't think anything is encrypted here, this is just peer authentication using a shared secret.
I don't think anything is encrypted here, this is just peer authentication using a shared secret.
correct, my mistake :) On Tue, Jun 28, 2016 at 5:14 PM, Baptiste Jonglez < baptiste@bitsofnetworks.org> wrote:
On Tue, Jun 28, 2016 at 01:59:05PM +0200, Alexander Velkov wrote:
Hi Ondrej,
The first one is RIP request, rest are RIP responses. Quagga apparently do not sign RIP requests. They are optional, so it is not a big problem, but AFAIK they should be signed and verified in the same way as RIP requests.
This should provide some insights (the paragraphs about RIPv1):
http://www.nongnu.org/quagga/docs/docs-multi/RIP-Authentication.html
OK. Yes, the whole communication process to be encrypted sounds more adequate.
I don't think anything is encrypted here, this is just peer authentication using a shared secret.
participants (3)
-
Alexander Velkov -
Baptiste Jonglez -
Ondrej Zajicek