Hello, I face a problem when configuring RIP with MD5 authentication in bird. I find no examples in configuring bird this way, so maybe this could be added to the documentation. This is the bird configuration I use: protocol kernel { scan time 20; # Scan kernel routing table every 20 seconds export all; # Default is export none learn; device routes; } protocol device { scan time 10; # Scan interfaces every 10 seconds } protocol direct { interface "eth0"; } filter rip_export { # redistribute connected if ( source = RTS_DEVICE ) then { print "net accepted:", net; accept; } reject; } protocol rip RIP { debug all; honor neighbor; authentication md5; passwords { password "secret"; }; port 520; interface "eth0" { mode multicast; }; import all; export filter rip_export; } I tried to configure bird with the configuration above to connect to quagga (v0.99.23.1) and also to another instance of bird (v1.4.4 and v1.5.0). In both cases I get an error message in the logs that the authentication has failed: Nov 11 15:39:12 AVILA err bird: MD5 tail signature is not there Nov 11 15:39:12 AVILA err bird: RIP: Authentication failed In case I use plain configuration (authentication plaintext) instead of MD5 then the boxes connect successfully and routes are exchanged. Do I use a wrong RIP configuration or is this a bug in bird ? Best regards, Alexander Velkov
On Thu, Nov 12, 2015 at 04:20:06PM +0100, Alex Lalik wrote:
Hello,
I face a problem when configuring RIP with MD5 authentication in bird. I find no examples in configuring bird this way, so maybe this could be added to the documentation. ... In case I use plain configuration (authentication plaintext) instead of MD5 then the boxes connect successfully and routes are exchanged. Do I use a wrong RIP configuration or is this a bug in bird ?
Hello Well, the current RIP implementation is not in a good shape, so this is likely a bug in it. I would suggest to try devel version of BIRD from our Git repository, branch rip-new. It fixes many bugs and adds many new features to the RIP. Note that it also changes some options, e.g. options like authentication, password, port are per-interface (like in OSPF), honor option is removed. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
Hi Alex. On 2015-11-12 16:20, Alex Lalik wrote:
protocol rip RIP {
debug all;
honor neighbor;
authentication md5;
passwords {
password "secret";
};
Configuration of the password like this protocol rip RIP { debug all; honor neighbor; authentication md5; password "secret"; } should work. Best, Pavel
Hi Pavel, I tried your suggestion and defined the password field as a single line. I tried out the behavior on different architectures. - when bird runs on a little endian box, then there is no error and the boxes can successfully authenticate, even when the pass is specified in a passwords block. - when bird runs on a big endian box (e.g. running an arm processor), then the error "MD5 tail signature is not there" occurs as before no matter if the pass is defined in one line or in a passwords block. Another question. In Quagga you may define a key-chain containing multiple keys to be used for the MD5 authentication. Does it work the same way in bird ? I thought defining a passwords block containing multiple password entries like: passwords { password "secret 1"; password "secret 2"; }; Best regards, Alexander Velkov protocol rip RIP {
debug all; honor neighbor; authentication md5; password "secret"; }
should work.
Best, Pavel
On Thu, Nov 12, 2015 at 06:28:34PM +0100, Alexander Velkov wrote:
Hi Pavel,
I tried your suggestion and defined the password field as a single line. I tried out the behavior on different architectures.
Single line versus one password in passwords block should not make difference.
- when bird runs on a little endian box, then there is no error and the boxes can successfully authenticate, even when the pass is specified in a passwords block. - when bird runs on a big endian box (e.g. running an arm processor), then the error "MD5 tail signature is not there" occurs as before no matter if the pass is defined in one line or in a passwords block.
Yes, issue with MD5 not working with big endian is known bug in current RIP, fixed in rip-new.
Another question. In Quagga you may define a key-chain containing multiple keys to be used for the MD5 authentication. Does it work the same way in bird ? I thought defining a passwords block containing multiple password entries like:
passwords { password "secret 1"; password "secret 2"; };
Yes, this should work. Note that with multiple passwords it is a good idea to explicitly specify 'id' key parameter. Also note that there is a limitation in RIP MD5 auth with multiple passwords in BIRD that all passwords share the same sequence number (with one neighbor), which may cause interoperatbility problems with implementations that sends separate independent sequence numbers for each passwords. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (4)
-
Alex Lalik -
Alexander Velkov
-
Ondrej Zajicek -
Pavel Tvrdík