Bird, RPKI/RTR and issues with SSH
Louis Poinsignon
louis.poinsignon at gmail.com
Fri Apr 12 02:52:59 CEST 2019
Hello everyone,
I hope this mailing list is the correct place for my message.
I am the developer of GoRTR (https://github.com/cloudflare/gortr), a tool
to send RPKI/ROA validated data to routers. I just implemented SSH support
(no-auth, password and publickey)
With Bird 2.0.2, I managed to setup a cleartext connection.
I made a docker-compose environment with two birds connected and a GoRTR.
https://github.com/lspgn/compose-bird-gortr
While it's not impacting, when the RTR server returns a NO DATA, the client
will bomb of requests as shown by a higher log level of GoRTR.
> gortr_1 | time="2019-04-11T21:40:13Z" level=debug msg="10.1.0.3:54874
> (v1) / Serial: 0: Received PDU Reset Query v1"
> gortr_1 | time="2019-04-11T21:40:13Z" level=debug msg="10.1.0.3:54874
> (v1) / Serial: 0 > Request Cache"
> gortr_1 | time="2019-04-11T21:40:13Z" level=debug msg="10.1.0.3:54874
> (v1) / Serial: 0 < No data"
> gortr_1 | time="2019-04-11T21:40:13Z" level=debug msg="10.1.0.3:54874
> (v1) / Serial: 0: Received PDU Reset Query v1"
> gortr_1 | time="2019-04-11T21:40:13Z" level=debug msg="10.1.0.3:54874
> (v1) / Serial: 0 > Request Cache"
I am not sure if I'm missing a timeout but I feel this may be a bug.
For ssh I am having another issue.
The faulty configuration is the following:
https://github.com/lspgn/compose-bird-gortr/blob/bird-rtr-ssh/bird/config_local/bird1.conf
With the statement:
> protocol rpki gortr {
> debug all;
> roa4 { table t_roa4; };
> roa6 { table t_roa6; };
> remote "10.1.0.4" port 8283;
> transport ssh {
> user "rpki";
> bird private key "/etc/bird/id_rsa";
> };
> retry keep 90;
> refresh keep 900;
> expire keep 172800;
> }
The logs are the following:
> Creating network "bird-gortr-compose_vpcbr" with driver "bridge"
> Creating bird-gortr-compose_gortr_1 ... done
> Creating bird-gortr-compose_bird1_1 ... done
> Attaching to bird-gortr-compose_gortr_1, bird-gortr-compose_bird1_1
> gortr_1 | time="2019-04-12T00:33:16Z" level=info msg="Enabling ssh with
> the following authentications: password=false, key=true"
> gortr_1 | time="2019-04-12T00:33:18Z" level=info msg="New update (79929
> uniques, 79929 total prefixes). 0 bytes. Updating sha256 hash ->
> db4486e353d9f1f7e30ad90ab4b93c0c91adb30dfc572a0493ca8030471768c9"
> gortr_1 | time="2019-04-12T00:33:18Z" level=info msg="Updated added, new
> serial 1"
> gortr_1 | time="2019-04-12T00:33:18Z" level=info msg="Accepted ssh
> connection from 10.1.0.2:33758 (1/0)"
> gortr_1 | time="2019-04-12T00:33:18Z" level=info msg="Connected
> (ssh-key): rpki/10.1.0.2:33758 with key ssh-rsa
> AAAAB3NzaC1yc2EAAAADAQABAAABAQC1PYoRv0xuIMbv6aQZbXUNzqS611+FgahO0tNJ1C/CD2yxmzDuijjiAL3ia3UNPuIwS4Bwukn0EQJP/J2UGM0ABGR6r8n46RzFFkBqVBXrpRNThsD36hSYeUqfir1DChxknXCEG0pLcs5cW3OZagROcW5eZbbbTD40lIglhthtrf/9d241WUcvrhXiE/VaZvj8wi2lY26MuvqDGJgApOK4gi4gLzlr5qT4aDIzUIV0LlYul3hOFX/UMlX0yJg2cgEz/xRRlUfpsx6rQkwQZ0z1lwI0QBvHlON/+Azy/HmGWFcQ2S0V+CWUFHoZ/PBqmBnLT5MBSy5r/9RQVfoaeHBv"
> gortr_1 | time="2019-04-12T00:33:18Z" level=error msg="Error with ssh
> client 10.1.0.2:33758: ssh: unmarshal error for field Language of type
> disconnectMsg"
> gortr_1 | time="2019-04-12T00:33:18Z" level=info msg="Accepted tcp
> connection from 10.1.0.3:55344 (1/0)"
> bird1_1 | bird: gortr: Channel roa4 connected to table t_roa4
> bird1_1 | bird: gortr: Channel roa6 connected to table t_roa6
> bird1_1 | bird: gortr: Initializing
> bird1_1 | bird: gortr: Starting
> bird1_1 | bird: gortr: Changing from Down to Connecting state
> bird1_1 | bird: gortr: Opening a connection
> bird1_1 | bird: gortr: State changed to start
> bird1_1 | bird: Started
> bird1_1 | bird: gortr: Lost connection: Failed to read private key:
> /etc/bird/id_rsa
> bird1_1 | bird: gortr: Changing from Connecting to Transport-Error state
> bird1_1 | bird: gortr: Closing a connection
GoRTR sees the connection with the correct public key but Bird drops it.
If I do not set any statement "bird private key", it does not connect as
well.
Have anyone successfully setup a RTR+SSH session?
The password authentication work well with Cisco routers but apart from
rtrdump (another tool related to GoRTR) I could not test publickey
authentication.
Thank you in advance,
Best,
Louis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20190411/3745fa41/attachment.html>
More information about the Bird-users
mailing list