[quagga-dev 10610] Re: RFC-6506(Supporting Authentication Trailer for OSPFv3) implementation in quagga-0.99.21 version

Denis Ovsienko infrastation at yandex.ru
Thu Jul 18 08:01:27 BST 2013


Hello.

Please see below for an explanation of one of the points.

[...]
> The sequence number check in ospf6_check_sha256_digest() is taken wrong and will reject valid packets.
>
> The logic is taken from ospfv2 in quagga-0.99.21 which is a counterpart version of ospfv3 and it has not rejected any valid packet so far.
>
[...]

The sequence number in RFC5709 (OSPFv2) is a 32-bit non-decreasing function. The sequence number in RFC6506 (OSPFv3) is a 64-bit strictly increasing function. The code in the patch is:

+   /* Check crypto seqnum. As done in ospfv2*/
+   on = ospf6_neighbor_lookup (oh->router_id, oi);
+   if (on && ntohl(on->low_order_seqnum) > ntohl(ospf6_at->low_order_seqnum))
+   {
+      zlog_warn ("interface %s: ospf6_check_sha bad Low-order-sequence %d (expect %d)",
+      oi->interface->name,
+      ntohl(ospf6_at->low_order_seqnum),
+	  ntohl(on->ospf6_if->low_order_seqnum));
+      return 0;
+    }
+
+    if (on && ntohl(on->high_order_seqnum) > ntohl(ospf6_at->high_order_seqnum))
+    {
+      zlog_warn ("interface %s: ospf6_check_sha bad High-order-sequence %d (expect %d)",
+	  oi->interface->name,
+	  ntohl(ospf6_at->high_order_seqnum),
+	  ntohl(on->ospf6_if->high_order_seqnum));
+      return 0;
+    }

Consider two following scenarios where this code violates the specification:

1. Saved sequence number is 0x00000001:00000001 (high:low). The packet has sequence number 0x00000001:00000001.
Saved low-order is greater than packet's low-order? No. Saved high-order is greater than packet's high-order? No.
The code continues processing a replayed packet.

2. Saved sequence number is 0x00000001:ffffffff (high:low). The packet has sequence number 0x00000002:00000000.
Saved low-order is greater than packet's low-order? Yes.
The code rejects a packet that has a valid sequence number.

Thank you.

-- 
 Denis Ovsienko




More information about the Quagga-dev mailing list