[quagga-dev 8573] Re: [quagga-users 12172] Quagga 0.99.18 Released (addressing CVE-2010-1674)

paul at jakma.org paul at jakma.org
Tue Mar 22 11:46:26 GMT 2011


On Mon, 21 Mar 2011, Greg Troxel wrote:

> Then, there are a bunch of other things that come up with opaque lsas
> enabled:

>   ./configure --sysconfdir=/usr/pkg/etc/zebra
> --enable-exampledir=/usr/pkg/sha re/examples/quagga
> --localstatedir=/var/run/zebra --enable-vtysh --enable-opaque-lsa
> --prefix=/usr/pkg --build=i386--netbsdelf --host=i386--netbsdelf
> --infodir= /usr/pkg/info --mandir=/usr/pkg/man

Looking at it now.

> so I wonder if this was tested with opaque support.  Sort of 
> related, opaque LSAs seem mainstream, so I would propose that we 
> enable them by default.

If we keep opaque LSA support, then yes it should be enabled by 
default. We really shouldn't have default-off optional features, and 
further we should minimise optional features altogether (as we've 
been trying).

Looking at opaque LSA now. Unfortunately opaque does it's own 
refreshing, re-implementing various bits of core OSPF behaviour 
(perhaps cause the core refresh logic was a bit twisty in the past). 
The last ospfd patch series stamped this out for router & network 
LSA, as it makes things complicated and buggy.

I can try fix opaque LSAs and certainly make it compile. There are 
2 approaches:

- try fix it minimally, leaving opaque LSAs own refresh logic in
   place

- try fix it by making it use the general refresh infrastructure

However, I have no way of testing it. The only user I've known of it 
was Amir Guindehi's clustering software years ago, and I gather he's 
not running it anymore.

So we need users of opaque LSAs to come forward and help test it. If 
we can't find users, I'm minded to just deprecate and remove it.

regards,
-- 
Paul Jakma  paul at jakma.org  twitter: @pjakma  PGP: 64A2FF6A
Fortune:
A hermit is a deserter from the army of humanity.



More information about the Quagga-dev mailing list