RIP with MD5 authentication

Ondrej Zajicek santiago at crfreenet.org
Thu Jun 23 13:14:57 CEST 2016 

On Thu, Jun 23, 2016 at 11:41:18AM +0200, Alexander Velkov wrote:
> Hello,
> 
> I have some issues with configuring RIP 'authentication'.
> I connect a bird v1.6.0 running on an ARM machine with a quagga v0.99.23.1
> on a 64bit Ubuntu 14.04 machine.
> 
> *Plaintext* (authentication plaintext):
> 
>   ERROR - bird writes erroneous auth error msg.
>   the two peers connect successfully and exchange routes, but bird writes
> auth error msg -
>   'bird: RIP: Authentication failed for 172.16.0.9 on eth0 - wrong password
> (0)'
>   Maybe, a variable was not correctly set at init ?

Hello

It seems to me that quagga sends two packets, first (at 15:21:34,
presumably without authentication) was rejected, second (at 15:21:35,
presumably with password) was accepted and contains routes.

See:

> Jun 22 15:21:34 AVILA debug bird: RIP: New neighbor 172.16.0.9 on eth0
> Jun 22 15:21:34 AVILA err   bird: RIP: Authentication failed for 172.16.0.9
> on eth0 - wrong password (0)
...
> Jun 22 15:21:35 AVILA debug bird: RIP: Response received from 172.16.0.9 on
> eth0
> Jun 22 15:21:35 AVILA debug bird: RIP > added 10.0.4.0/24 via 172.16.0.9 on
> eth0

Could you verify that, e.g. with tcpdump?


> *Cryptographic* (authentication cryptographic):
> 
>   ERROR 1 - peers cannot connect with "id 0".
>   The ripd keychain allows setting 'key 0' but bird does not - error
> 'Password ID has to be greated than zero.'

That is true, for some reason BIRD does not allow key id 0 (for both RIP
and OSPF crypto authentication) and uses id 1 by default. I will check if
there is a reason for that.


>   If I omit setting id parameter (passwords{password "secret"; password
> 'secret2'; password 'secret 3'}), then the peer authentication is not
> successful.

In that case BIRD uses IDs 1,2,3, while Quagga is configured with IDs 0,1,2,
therefore keys are not properly matched.


>   ERROR 2 - On successful md5 authentication (using different keys), bird
> writes again false error messages.

Probably the same issue like in the first case?


-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20160623/57ea1e87/attachment.asc>

More information about the Bird-users mailing list