BFD: Improve incoming packet matching

For active sessions, ignore received packets with zero local id and mismatched remote id. That forces a session timeout instead of an immediate session restart. It makes BFD sessions more resilient to packet spoofing. Thanks to André Grüneberg for the suggestion.
author: Ondrej Zajicek <santiago@crfreenet.org> 2023-01-22 23:42:08 +0100
committer: Ondrej Zajicek <santiago@crfreenet.org> 2023-01-22 23:42:08 +0100
commit: 99872676df45f1a490d3d63f43081afb41477040 (patch)
tree: 15f2be0eb931a385a97e2168711e7e5053feaca9 /proto/bfd
parent: a82683694da23799f247b3392a00efdd342afdfc (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/proto/bfd/packets.c b/proto/bfd/packets.c
index 5f10734c..cb5f0d89 100644
--- a/proto/bfd/packets.c
+++ b/proto/bfd/packets.c
@@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len)
     /* FIXME: better session matching and message */
     if (!s)
       return 1;
+
+    /* For active sessions we require matching remote id */
+    if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id))
+      DROP("mismatched remote id", ntohl(pkt->snd_id));
   }
 
   /* bfd_check_authentication() has its own error logging */
author	Ondrej Zajicek <santiago@crfreenet.org>	2023-01-22 23:42:08 +0100
committer	Ondrej Zajicek <santiago@crfreenet.org>	2023-01-22 23:42:08 +0100
commit	99872676df45f1a490d3d63f43081afb41477040 (patch)
tree	15f2be0eb931a385a97e2168711e7e5053feaca9 /proto/bfd
parent	a82683694da23799f247b3392a00efdd342afdfc (diff)