OSPFv3 auth problem
Joakim Tjernlund
Joakim.Tjernlund at infinera.com
Thu Mar 11 16:06:53 CET 2021
On Thu, 2021-03-11 at 15:50 +0100, Ondrej Zajicek wrote:
> On Thu, Mar 11, 2021 at 12:35:40PM +0000, Joakim Tjernlund wrote:
> > We have a ring of routers(5 of them) running unnumbered pppoe links between them. Adding OSPF authentication (auth trailer) works OK.
> > However, removing OSPFv3 on ONE interface causes big problem in some cases, we loose auth in the whole ring
> > and routing is then kaputt for all routers.
> >
> > We have noted that some PDUs(like LS update) are sent without auth trailer so the receiving nodes
> > complains with "ospfv3_2: Authentication failed for nbr 0.0.139.1 on p1-1-3-1-4 - missing authentication trailer (0)"
> >
> > OSPFv3 Hello is OK though, it still has its auth trailer.
>
> Hmm, that is strange. There is difference between Hello and LSUpd in
> OSPFv3 Auth receiver code, but not in sending code. That is essentially:
>
> if (ifa->autype != OSPF_AUTH_CRYPT)
> return;
>
> ... attach auth trailer ...
>
>
> > Any ideas?
>
> LSUpd packets do not contain explicit flag whether they use OSPFv3 auth
> trailer. Such information is stored in neighbor structure based on
> received DBDes packet. So 'missing authentication trailer' for LSUpd
> really means that such neighbor structure says 'no auth'. But that
> should not happen as that DBDes packet would be rejected.
>
> One idea is that DBDes packets intended for one iface (non-authenticated)
> were sent to a different iface (authenticated) and they poisoned neighbor
> structure with 'no auth' info.
>
> You say 'loose auth in the whole ring', i can imagine that it will break
> adjacent links, but it will really break even non-adjacent links?
>
Yes, it takes some time(about 30 min) though before the whole ring is gone.
All nodes are seeing "missing authentication trailer" msg.
More information about the Bird-users
mailing list