Re: Touble ospf md5 authentication
Dear, Ondrej Zajicek. Вы писали 22 марта 2010 г., 14:57:44: > On Mon, Mar 22, 2010 at 10:31:32AM +0200, Vitaliy Kolodinsky wrote: > I am sorry for a mistake, there should be the opposite inequality. The content > of the LLS block might be ignored, but we must ensure that we access valid > data. The fixed patch is attached. Many thanks. It works. :) -- Best regards, Vitaliy Kolodinsky BYVK-RIPE ISP Atlant Telecom kolodin...@telecom.by
Re: Touble ospf md5 authentication
On Mon, Mar 22, 2010 at 10:31:32AM +0200, Vitaliy Kolodinsky wrote: > Dear, Ondrej Zajicek. > > ?? ?? 20 ? 2010 ?., 3:30:42: > > > diff -uprN bird-1.2.1/proto/ospf/packet.c bird-1.2.1-/proto/ospf/packet.c > > --- bird-1.2.1/proto/ospf/packet.c 2010-01-14 11:06:27.0 +0100 > > +++ bird-1.2.1-/proto/ospf/packet.c 2010-03-19 19:24:47.0 +0100 > > @@ -179,7 +179,7 @@ ospf_pkt_checkauth(struct ospf_neighbor > > return 0; > >} > > > > - if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE != size) > > + if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE < size) > >{ > > OSPF_TRACE(D_PACKETS, "OSPF_auth: size mismatch (%d vs %d)", > > ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE, size); > > The patch does not work. If the IP packet contains the LLS block, the size I am sorry for a mistake, there should be the opposite inequality. The content of the LLS block might be ignored, but we must ensure that we access valid data. The fixed patch is attached. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santi...@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so." diff -uprN bird-1.2.1/proto/ospf/packet.c bird-1.2.1-/proto/ospf/packet.c --- bird-1.2.1/proto/ospf/packet.c 2010-01-14 11:06:27.0 +0100 +++ bird-1.2.1-/proto/ospf/packet.c 2010-03-22 13:51:40.0 +0100 @@ -179,7 +179,7 @@ ospf_pkt_checkauth(struct ospf_neighbor return 0; } - if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE != size) + if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE > size) { OSPF_TRACE(D_PACKETS, "OSPF_auth: size mismatch (%d vs %d)", ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE, size); signature.asc Description: Digital signature
Re: Touble ospf md5 authentication
Dear, Ondrej Zajicek. Вы писали 20 марта 2010 г., 3:30:42: > diff -uprN bird-1.2.1/proto/ospf/packet.c bird-1.2.1-/proto/ospf/packet.c > --- bird-1.2.1/proto/ospf/packet.c 2010-01-14 11:06:27.0 +0100 > +++ bird-1.2.1-/proto/ospf/packet.c 2010-03-19 19:24:47.0 +0100 > @@ -179,7 +179,7 @@ ospf_pkt_checkauth(struct ospf_neighbor > return 0; >} > > - if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE != size) > + if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE < size) >{ > OSPF_TRACE(D_PACKETS, "OSPF_auth: size mismatch (%d vs %d)", > ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE, size); The patch does not work. If the IP packet contains the LLS block, the size ntohs (pkt-> length) + OSPF_AUTH_CRYPT_SIZE and so will be less than the size of an IP packet, as the size of the LLS block included in size IP packet. We must either somehow assume the size of LLS block or remove all checks on the size of the package. -- Best regards, Vitaliy Kolodinsky BYVK-RIPE ISP Atlant Telecom kolodin...@telecom.by
Re: Touble ospf md5 authentication
On Fri, Mar 19, 2010 at 05:52:04PM +0159, Vitaliy Kolodinsky wrote: > In area 0.0.0.2 works some Cisco routers, Quagga and experimental > BIRD. Cisco and Quagga work perfectly together. > Cisco at the end of OSPF Hello packet sent LLS Data Block. > Quagga this unit is not sending. > LLS Data Block is mentioned in the IETF RFC 4813 > May participate in the testing. Hello Could you try attached patch to BIRD 1.2.1? That should fix this issue. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santi...@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so." diff -uprN bird-1.2.1/proto/ospf/packet.c bird-1.2.1-/proto/ospf/packet.c --- bird-1.2.1/proto/ospf/packet.c 2010-01-14 11:06:27.0 +0100 +++ bird-1.2.1-/proto/ospf/packet.c 2010-03-19 19:24:47.0 +0100 @@ -179,7 +179,7 @@ ospf_pkt_checkauth(struct ospf_neighbor return 0; } - if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE != size) + if (ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE < size) { OSPF_TRACE(D_PACKETS, "OSPF_auth: size mismatch (%d vs %d)", ntohs(pkt->length) + OSPF_AUTH_CRYPT_SIZE, size); signature.asc Description: Digital signature
Re: Touble ospf md5 authentication
On Fri, Mar 19, 2010 at 06:11:51PM +0100, Csaba Szép wrote: > Hello! > > In my opinion, this is the same issue that i reported at 2009.10.05 in > this list. Hello It is similar (also related to LLS) but not the same issue. The problem you reported (with error message 'received: options mismatch') was fixed in version 1.2.0 (i hope). This one is specific to usage of MD5 auth together with LLS. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santi...@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so." signature.asc Description: Digital signature
Re: Touble ospf md5 authentication
Hello! Of course this is only a workaround But. I use this command with Cisco 7200 12.2(28)SB5 software, which is older than 12.3(21) Another temporaly solution is to disable lls globally . router ospf 1 router-id 10.0.0.2 no capability lls 2010/3/19 Vitaliy Kolodinsky : > Dear, Csaba Szép. > > Вы писали 19 марта 2010 г., 19:11:51: > >> In my opinion, this is the same issue that i reported at 2009.10.05 in >> this list. > >> Then i disabled LLS in the cisco side, and after everything works well. > > >> ip ospf lls disable > > Using the ip ospf lls disable probably quite a good temporary solution, but > the old IOS, this command is not > > bras7 (config-subif) # ip ospf lls disa > ^ > % Invalid input detected at '^' marker. > > bras7 (config-subif) # do sh ver > Cisco Internetwork Operating System Software > IOS (tm) 7200 Software (C7200-JS-M), Version 12.3 (21), RELEASE SOFTWARE (fc2) > Technical Support: http://www.cisco.com/techsupport > > > With pleasure I will see a patch from the author > and with no less pleasure test the patch work. > > -- > > Best regards, > Vitaliy > Kolodinsky > BYVK-RIPE > ISP Atlant Telecom > kolodin...@telecom.by > >
Re: Touble ospf md5 authentication
Dear, Csaba Szép. Вы писали 19 марта 2010 г., 19:11:51: > In my opinion, this is the same issue that i reported at 2009.10.05 in > this list. > Then i disabled LLS in the cisco side, and after everything works well. > ip ospf lls disable Using the ip ospf lls disable probably quite a good temporary solution, but the old IOS, this command is not bras7 (config-subif) # ip ospf lls disa ^ % Invalid input detected at '^' marker. bras7 (config-subif) # do sh ver Cisco Internetwork Operating System Software IOS (tm) 7200 Software (C7200-JS-M), Version 12.3 (21), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport With pleasure I will see a patch from the author and with no less pleasure test the patch work. -- Best regards, Vitaliy Kolodinsky BYVK-RIPE ISP Atlant Telecom kolodin...@telecom.by
Re: Touble ospf md5 authentication
Hello! In my opinion, this is the same issue that i reported at 2009.10.05 in this list. Then i disabled LLS in the cisco side, and after everything works well. ip ospf lls disable 2010/3/19 Ondrej Zajicek : > On Fri, Mar 19, 2010 at 05:52:04PM +0159, Vitaliy Kolodinsky wrote: >> > Hmm, it seems that Cisco just sends some trash after the end of OSPF >> > packet. >> > Perhaps it would suffice to remove the check in BIRD, but i personally >> > don't test this compatibility. >> >> In area 0.0.0.2 works some Cisco routers, Quagga and experimental >> BIRD. Cisco and Quagga work perfectly together. >> Cisco at the end of OSPF Hello packet sent LLS Data Block. >> Quagga this unit is not sending. >> LLS Data Block is mentioned in the IETF RFC 4813 >> May participate in the testing. > > Yes, LLS data blocks in OSPF packets is the cause of the problem. Thank > you for a note, i didn't know about RFC 4813. I will look at this > issue and send you the patch for BIRD to be able to handle LLS data > blocks. > > -- > Elen sila lumenn' omentielvo > > Ondrej 'SanTiago' Zajicek (email: santi...@crfreenet.org) > OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) > "To err is human -- to blame it on a computer is even more so." > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkujrW8ACgkQw1GB2RHercNN4gCeJttuETRAYSEE7Qczl6pYNCMh > YysAn0YWM1ENwQbzx2KJ4lG1hRqUjsUn > =f0t3 > -END PGP SIGNATURE- > >
Re: Touble ospf md5 authentication
On Fri, Mar 19, 2010 at 05:52:04PM +0159, Vitaliy Kolodinsky wrote: > > Hmm, it seems that Cisco just sends some trash after the end of OSPF packet. > > Perhaps it would suffice to remove the check in BIRD, but i personally > > don't test this compatibility. > > In area 0.0.0.2 works some Cisco routers, Quagga and experimental > BIRD. Cisco and Quagga work perfectly together. > Cisco at the end of OSPF Hello packet sent LLS Data Block. > Quagga this unit is not sending. > LLS Data Block is mentioned in the IETF RFC 4813 > May participate in the testing. Yes, LLS data blocks in OSPF packets is the cause of the problem. Thank you for a note, i didn't know about RFC 4813. I will look at this issue and send you the patch for BIRD to be able to handle LLS data blocks. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santi...@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so." signature.asc Description: Digital signature
Re: Touble ospf md5 authentication
On Fri, Mar 19, 2010 at 04:15:27PM +0159, Vitaliy Kolodinsky wrote: > Dear, Ondrej Zajicek. > > ?? ?? 19 ? 2010 ?., 16:05:04: > > > On Fri, Mar 19, 2010 at 01:57:36PM +0200, Vitaliy Kolodinsky wrote: > >> Dear, bird-us...@atrey.karlin.mff.cuni.cz. > >> > >> Who has a working BIRD 1.2.1 ospf md5 authentication and Cisco? > >> > >> > >> ---Log File-- > >> Mar 16 17:34:52 vulture2 bird: MyOSPF: OSPF_auth: size mismatch (88 vs 124) > >> Mar 16 17:34:52 vulture2 bird: Bad OSPF packet from 93.125.5.141 - > >> authentification failed > > > That is strange, could you send me an output of tcpdump on that packets? > > (tcpdump -s 0 -x) Hmm, it seems that Cisco just sends some trash after the end of OSPF packet. Perhaps it would suffice to remove the check in BIRD, but i personally don't test this compatibility. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santi...@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so." signature.asc Description: Digital signature
Re: Touble ospf md5 authentication
Dear, Ondrej Zajicek. Вы писали 19 марта 2010 г., 16:05:04: > On Fri, Mar 19, 2010 at 01:57:36PM +0200, Vitaliy Kolodinsky wrote: >> Dear, bird-us...@atrey.karlin.mff.cuni.cz. >> >> Who has a working BIRD 1.2.1 ospf md5 authentication and Cisco? >> >> >> ---Log File-- >> Mar 16 17:34:52 vulture2 bird: MyOSPF: OSPF_auth: size mismatch (88 vs 124) >> Mar 16 17:34:52 vulture2 bird: Bad OSPF packet from 93.125.5.141 - >> authentification failed > That is strange, could you send me an output of tcpdump on that packets? > (tcpdump -s 0 -x) 16:06:51.521476 IP 93.125.5.138 > 224.0.0.5: OSPFv2, Hello, length: 108 0x: 45c0 0090 af0c 0159 c63c 5d7d 058a 0x0010: e000 0005 0201 0048 5d7d 058a 0002 0x0020: 0002 0510 4ba1 5a10 ffe0 0x0030: 000a 1200 0028 5d7d 0587 0x0040: 5d7d 0506 5d7d 0507 5d7d 0586 5d7d 0588 0x0050: 5d7d 058b 5d7d 058c d5b8 e114 6236 9632 0x0060: 077c dcfa 7ea2 cac8 d7c3 af5c 0009 0x0070: 0001 0004 0001 0002 0014 4ba1 5a10 0x0080: 6726 c4b0 26dc 0582 874c 7296 98eb ce77 16:06:53.525031 IP 93.125.5.133 > 224.0.0.5: OSPFv2, Hello, length: 108 0x: 45c0 0090 495f 0159 2bef 5d7d 0585 0x0010: e000 0005 0201 0048 5d7d 0506 0002 0x0020: 0002 0510 4ba2 cd13 ffe0 0x0030: 000a 1200 0028 5d7d 0587 0x0040: 5d7d 0507 5d7d 0586 5d7d 0588 5d7d 058a 0x0050: 5d7d 058b 5d7d 058c d5b8 e114 c33e e87d 0x0060: 19f8 6dd2 3892 e4b8 bf9b 70d7 0009 0x0070: 0001 0004 0001 0002 0014 4ba2 cd13 0x0080: 0f41 ed82 0ae3 c693 6428 af08 8a47 3648 16:06:53.896032 IP 93.125.5.139 > 224.0.0.5: OSPFv2, Hello, length: 108 0x: 45c0 0090 3e6e 0159 36da 5d7d 058b 0x0010: e000 0005 0201 0048 5d7d 058b 0002 0x0020: 0002 0510 4ba2 61c8 ffe0 0x0030: 000a 1200 0028 5d7d 0587 0x0040: 5d7d 0506 5d7d 0507 5d7d 0586 5d7d 0588 0x0050: 5d7d 058a 5d7d 058c d5b8 e114 0c7d 0dac 0x0060: b3fd fd3d 9916 d949 8efd a327 0009 0x0070: 0001 0004 0001 0002 0014 4ba2 61c8 0x0080: b599 46e0 d304 2213 c442 5821 8e1b c562 16:06:54.470461 IP 93.125.5.135 > 224.0.0.5: OSPFv2, LS-Update, length: 64 0x: 45c0 0064 f0b1 0159 84c6 5d7d 0587 0x0010: e000 0005 0204 0040 d5b8 e114 0002 0x0020: 0002 0510 4bac fa49 0001 0x0030: 0e10 2005 0a80 0284 5d7d 0588 8000 0002 0x0040: 4377 0024 00ff 0x0050: 27a9 7d32 4b03 1f70 625c b1ab 0x0060: 1311 6dc0 16:06:54.471771 IP 93.125.5.134 > 224.0.0.6: OSPFv2, LS-Ack, length: 44 0x: 45c0 0050 ba4c 0159 bb3f 5d7d 0586 0x0010: e000 0006 0205 002c 5d7d 0586 0002 0x0020: 0002 0510 0005 5084 0e10 2005 0x0030: 0a80 0284 5d7d 0588 8000 0002 4377 0024 0x0040: fe2a f44a a621 7612 cb02 dfb0 764c 7c4b 16:06:54.543948 IP 93.125.5.135 > 224.0.0.5: OSPFv2, LS-Update, length: 64 0x: 45c0 0064 f0b2 0159 84c5 5d7d 0587 0x0010: e000 0005 0204 0040 d5b8 e114 0002 0x0020: 0002 0510 4bac fa4a 0001 0x0030: 0e10 2005 0a80 013b 5d7d 0588 8000 0002 0x0040: 2bd9 0024 00ff 0x0050: bfcf ad0e ec4a 8105 a36a c4b4 0x0060: 8e0d 1c1c 16:06:54.712154 IP 93.125.5.141 > 224.0.0.5: OSPFv2, Hello, length: 108 0x: 45c0 0090 9e27 0159 d71e 5d7d 058d 0x0010: e000 0005 0201 0048 5d7d 0507 0002 0x0020: 0002 0510 4ba3 661a ffe0 0x0030: 000a 1200 0028 5d7d 0587 0x0040: 5d7d 0506 5d7d 0586 5d7d 0588 5d7d 058a 0x0050: 5d7d 058b 5d7d 058c d5b8 e114 df1f 8fc6 0x0060: 07e8 35a1 7edb 9ec7 6346 7041 0009 0x0070: 0001 0004 0001 0002 0014 4ba3 661a 0x0080: 2514 486c c8c7 7831 b6db bfa6 5196 833a Mar 19 16:06:51 vulture2 bird: MyOSPF: Running ospf_age cleanup Mar 19 16:06:51 vulture2 bird: MyOSPF: OSPF_auth: size mismatch (88 vs 124) Mar 19 16:06:51 vulture2 bird: Bad OSPF packet from 93.125.5.138 - authentification failed Mar 19 16:06:53 vulture2 bird: MyOSPF: OSPF_auth: size mismatch (88 vs 124) Mar 19 16:06:53 vulture2 bird: Bad OSPF packet from 93.125.5.133 - authentification failed Mar 19 16:06:53 vulture2 bird: MyOSPF: OSPF_auth: size mismatch (88 vs 124) Mar 19 16:06:53 vulture2 bird: Bad OSPF packet from 93.125.5.139 - authentification failed Mar 19 16:06:54 vulture2 bird: MyOSPF: LSUPD packet received from 93.125.5.135 via vlan200 Mar 19 16:06:54 vulture2 bird: MyOSPF: length 64 Mar 19 16:06:54 vulture2 bird: MyOSPF: router 213.184.225.20 Mar 19 16:06:54 vulture2 bird: MyOSPF: LSA Type: 0005, Id: 10.128.2
Re: Touble ospf md5 authentication
On Fri, Mar 19, 2010 at 01:57:36PM +0200, Vitaliy Kolodinsky wrote: > Dear, bird-us...@atrey.karlin.mff.cuni.cz. > > Who has a working BIRD 1.2.1 ospf md5 authentication and Cisco? > > > ---Log File-- > Mar 16 17:34:52 vulture2 bird: MyOSPF: OSPF_auth: size mismatch (88 vs 124) > Mar 16 17:34:52 vulture2 bird: Bad OSPF packet from 93.125.5.141 - > authentification failed That is strange, could you send me an output of tcpdump on that packets? (tcpdump -s 0 -x) -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santi...@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so." signature.asc Description: Digital signature
Touble ospf md5 authentication
Dear, bird-us...@atrey.karlin.mff.cuni.cz. Who has a working BIRD 1.2.1 ospf md5 authentication and Cisco? ---Log File-- Mar 16 17:34:52 vulture2 bird: MyOSPF: OSPF_auth: size mismatch (88 vs 124) Mar 16 17:34:52 vulture2 bird: Bad OSPF packet from 93.125.5.141 - authentification failed - --Configuration--- protocol ospf MyOSPF { import all; # export all; area 2 { stub no; networks { 93.125.5.128/27; }; interface "vlan200" { priority 0; password "xx" { id 5; }; authentication cryptographic; }; }; } - -- Best regards, Vitaliy Kolodinsky