OSPF authentication supported for IPv6 / OSPFv3?
Hello Bird users, I'm trying to get authentication enabled on my OSPF sessions. I'm running Bird 1.6.4 on Debian 9.8. I have the following config in my ospf.conf: protocol ospf ospf1 { import filter only_loopbacks; export filter only_loopbacks; area 0.0.0.0 { interface "lo"; interface "eno1" { type pointopoint; bfd on; }; interface "eno2" { type pointopoint; bfd on; }; interface "eno3" { type pointopoint; bfd on; authentication cryptographic; password "Test123"; }; }; } I include this ospf.conf in both bird.conf and bird6.conf. For IPv4 Bird it works without an issue and the sessions (over eno3) are authenticated. For IPv6 I see the following error when I try to load the config: # birdc6 configure check BIRD 1.6.4 ready. Reading configuration from /etc/bird/bird6.conf /etc/bird/ospf.conf, line 17: Authentication not supported in OSPFv3 When I check https://bird.network.cz/?get_doc&v=16&f=bird-6.html#ss6.8 I see the following: "authentication cryptographic An authentication code is appended to every packet. The specific cryptographic algorithm is selected by option algorithm for each key. The default cryptographic algorithm for OSPFv2 keys is Keyed-MD5 and for OSPFv3 keys is HMAC-SHA-256. Passwords are not sent open via network, so this mechanism is quite secure. Packets can still be read by an attacker." So, I think it should work for IPv6 too. What am I doing wrong? Or did I hit a bug of some kind? Kind regards, Cybertinus
On Mon, Mar 04, 2019 at 08:56:10PM +0100, Cybertinus wrote:
Hello Bird users,
I'm trying to get authentication enabled on my OSPF sessions. I'm running Bird 1.6.4 on Debian 9.8. I have the following config in my ospf.conf:
Hi OSPFv3 in base spec does not have authentication. BIRD Implements RFC 7166 extension (Authentication trailer for OSPFv3) since version 2.0.3, so it is not available in 1.6.4.
When I check https://bird.network.cz/?get_doc&v=16&f=bird-6.html#ss6.8 I see the following:
This seems like a bug in documentation, where some patch intended for BIRD 2.0 leaked also to 1.6 branch. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hello Ondrej, Right. Thanks for your reply, that explains a lot. I will abandon my plan to add authentication to my OSPF sessions for now, and will add that once I've migrated this network to Bird 2.0.x (this is on the todo-list somewhere, but 1.6.x works fine for now, so the priority of this project isn't that high). Kind regards, Cybertinus On 2019-03-05 01:03, Ondrej Zajicek wrote:
On Mon, Mar 04, 2019 at 08:56:10PM +0100, Cybertinus wrote:
Hello Bird users,
I'm trying to get authentication enabled on my OSPF sessions. I'm running Bird 1.6.4 on Debian 9.8. I have the following config in my ospf.conf:
Hi
OSPFv3 in base spec does not have authentication. BIRD Implements RFC 7166 extension (Authentication trailer for OSPFv3) since version 2.0.3, so it is not available in 1.6.4.
When I check https://bird.network.cz/?get_doc&v=16&f=bird-6.html#ss6.8 I see the following:
This seems like a bug in documentation, where some patch intended for BIRD 2.0 leaked also to 1.6 branch.
participants (2)
-
Cybertinus -
Ondrej Zajicek