Hi all, I'm trying to use the RIP protocol of BIRD in MD5 authentication mode. I use bird version 1.2.1. While checking interoperability with quagga (i use for this the zeroshell distribution running quagga ripd 0.98.4) md5 authentication failed with the message: "MD5 tail signature is not there". I then used Wireshark to capture a rip response packet sent by bird and found that the MD5 authentication data trailer starts with "FFFF 0100". The same packet from quagga ripd starts with "FFFF 0001". Looking in the RFC2082, the value from quagga seems to be the right one. historically, the value "FFFF 0001" was used by bird but this was changed to "FFFF 0100" in a patch resolving "RIP authentication problem with cisco". So can someone tell me was is the right value? Following RFC2082, it seems that we should use "FFFF 0001" but i don't have cisco products and don't want to break cisco compatibility.... regards, Jean PEREIRA
On Fri, Apr 02, 2010 at 03:51:32PM +0200, jp wrote:
Hi all, I'm trying to use the RIP protocol of BIRD in MD5 authentication mode. I use bird version 1.2.1.
historically, the value "FFFF 0001" was used by bird but this was changed to "FFFF 0100" in a patch resolving "RIP authentication problem with cisco".
Hello Thank you for a note. Unfortunately, i don't know anything about that patch. I will check that to make it compatible with both Quagga and Cisco. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hello, If it can help, the MD5 trailer modification appeared in the following message in bird mailing list : regards, Jean List: bird-users Subject: Re: RIP authentication problem with cisco From: Eric Leblond <eleblond () init-sys ! com> Date: 2003-04-04 8:46:53 [Download message RAW] On Fri, 2003-04-04 at 10:40, Eric Leblond wrote:
Hi,
I've modified the code to make RIP V2 with auth (passsword and md5) work.
Well the diff was not well done, I send you an other one. -- Eric Leblond <eleblond@init-sys.com> Init-Sys ["diff-bird-ripv2-auth" (diff-bird-ripv2-auth)] Only in bird/CVS: Root~ diff -ru bird/proto/rip/auth.c bird.auth/proto/rip/auth.c --- bird/proto/rip/auth.c Sat Sep 21 13:57:48 2002 +++ bird.auth/proto/rip/auth.c Fri Apr 4 08:44:44 2003 @@ -3,6 +3,9 @@ * * Copyright (c) 1999 Pavel Machek <pavel@ucw.cz> * + * Eric Leblond 04/04/2002 <eleblond@init-sys.com> : + * auth modifications + * * Can be freely distributed and used under the terms of the GNU GPL. */ @@ -33,7 +36,7 @@ rip_incoming_authentication( struct proto *p, struct rip_block_auth *block, struct \ rip_packet *packet, int num, ip_addr whotoldme ) { DBG( "Incoming authentication: " ); - switch (block->authtype) { /* Authentication type */ + switch (ntohs(block->authtype)) { /* Authentication type */ case AT_PLAINTEXT: { struct password_item *passwd = get_best_password( P_CF->passwords, 0 ); @@ -54,14 +57,13 @@ { struct password_item *head; struct rip_md5_tail *tail; - - if (block->packetlen != PACKETLEN(num)) { + if (ntohs(block->packetlen) != PACKETLEN(num) - sizeof(struct rip_md5_tail) ) \ { log( L_ERR "Packet length in MD5 does not match computed value" ); return 1; } - tail = (struct rip_md5_tail *) ((char *) packet + (block->packetlen - \ sizeof(struct rip_block_auth))); - if ((tail->mustbeFFFF != 0xffff) || (tail->mustbe0001 != 0x0001)) { + tail = (struct rip_md5_tail *) ((char *) packet + (ntohs(block->packetlen) )); + if ((tail->mustbeFFFF != 0xffff) || (tail->mustbe0001 != 0x0100)) { log( L_ERR "MD5 tail signature is not there" ); return 1; } @@ -89,13 +91,13 @@ char md5sum_packet[16]; char md5sum_computed[16]; + memset(md5sum_packet,0,16); memcpy(md5sum_packet, tail->md5, 16); password_strncpy(tail->md5, head->password, 16); MD5Init(&ctxt); - MD5Update(&ctxt, (char *) packet, block->packetlen ); + MD5Update(&ctxt, (char *) packet, ntohs(block->packetlen) + sizeof(struct \ rip_block_auth) ); MD5Final(md5sum_computed, &ctxt); - if (memcmp(md5sum_packet, md5sum_computed, 16)) return 1; return 0; @@ -129,7 +131,7 @@ return PACKETLEN(num); } - block->authtype = P_CF->authtype; + block->authtype = htons(P_CF->authtype); block->mustbeFFFF = 0xffff; switch (P_CF->authtype) { case AT_PLAINTEXT: @@ -139,26 +141,26 @@ { struct rip_md5_tail *tail; struct MD5Context ctxt; - static int sequence = 0; + static uint32_t sequence = 0; if (num > PACKET_MD5_MAX) bug( "We can not add MD5 authentication to this long packet" ); block->keyid = passwd->id; - block->authlen = 20; + block->authlen = sizeof(struct rip_block_auth); block->seq = sequence++; block->zero0 = 0; block->zero1 = 0; - block->packetlen = PACKETLEN(num) + block->authlen; - - tail = (struct rip_md5_tail *) ((char *) packet + (block->packetlen - \ sizeof(struct rip_block_auth))); + block->packetlen = htons(PACKETLEN(num)); + tail = (struct rip_md5_tail *) ((char *) packet + PACKETLEN(num) ); tail->mustbeFFFF = 0xffff; - tail->mustbe0001 = 0x0001; - password_strncpy( (char *) (&tail->md5), passwd->password, 16 ); + tail->mustbe0001 = 0x0100; + memset(tail->md5,0,16); + password_strncpy( tail->md5, passwd->password, 16 ); MD5Init(&ctxt); - MD5Update(&ctxt, (char *) packet, block->packetlen ); - MD5Final((char *) (&tail->md5), &ctxt); + MD5Update(&ctxt, (char *) packet, PACKETLEN(num) + sizeof(struct \ rip_md5_tail)); + MD5Final(tail->md5, &ctxt); return PACKETLEN(num) + block->authlen; } default: Le jeudi 08 avril 2010 à 10:20 +0200, Ondrej Zajicek a écrit :
On Fri, Apr 02, 2010 at 03:51:32PM +0200, jp wrote:
Hi all, I'm trying to use the RIP protocol of BIRD in MD5 authentication mode. I use bird version 1.2.1.
historically, the value "FFFF 0001" was used by bird but this was changed to "FFFF 0100" in a patch resolving "RIP authentication problem with cisco".
Hello Thank you for a note. Unfortunately, i don't know anything about that patch. I will check that to make it compatible with both Quagga and Cisco.
participants (2)
-
jp -
Ondrej Zajicek