[quagga-dev 10610] Re: RFC-6506(Supporting Authentication Trailer for OSPFv3) implementation in quagga-0.99.21 version
infrastation at yandex.ru
Thu Jul 18 08:01:27 BST 2013
Please see below for an explanation of one of the points.
> The sequence number check in ospf6_check_sha256_digest() is taken wrong and will reject valid packets.
> The logic is taken from ospfv2 in quagga-0.99.21 which is a counterpart version of ospfv3 and it has not rejected any valid packet so far.
The sequence number in RFC5709 (OSPFv2) is a 32-bit non-decreasing function. The sequence number in RFC6506 (OSPFv3) is a 64-bit strictly increasing function. The code in the patch is:
+ /* Check crypto seqnum. As done in ospfv2*/
+ on = ospf6_neighbor_lookup (oh->router_id, oi);
+ if (on && ntohl(on->low_order_seqnum) > ntohl(ospf6_at->low_order_seqnum))
+ zlog_warn ("interface %s: ospf6_check_sha bad Low-order-sequence %d (expect %d)",
+ return 0;
+ if (on && ntohl(on->high_order_seqnum) > ntohl(ospf6_at->high_order_seqnum))
+ zlog_warn ("interface %s: ospf6_check_sha bad High-order-sequence %d (expect %d)",
+ return 0;
Consider two following scenarios where this code violates the specification:
1. Saved sequence number is 0x00000001:00000001 (high:low). The packet has sequence number 0x00000001:00000001.
Saved low-order is greater than packet's low-order? No. Saved high-order is greater than packet's high-order? No.
The code continues processing a replayed packet.
2. Saved sequence number is 0x00000001:ffffffff (high:low). The packet has sequence number 0x00000002:00000000.
Saved low-order is greater than packet's low-order? Yes.
The code rejects a packet that has a valid sequence number.
More information about the Quagga-dev