diff options
| author | Ondrej Zajicek <santiago@crfreenet.org> | 2009-04-08 20:15:01 +0200 |
|---|---|---|
| committer | Ondrej Zajicek <santiago@crfreenet.org> | 2009-04-08 20:15:01 +0200 |
| commit | 024c310b537abc3ddbac3054de71fd759d422824 (patch) | |
| tree | 159cc669b9d16d2d97102c187320c800e376f710 /proto/ospf/config.Y | |
| parent | b722fe7ebdf7e11f097ed0a85302769de2ac10fb (diff) | |
Fixes broken cryptographic authentication in OSPF
Cryptographic authentication in OSPF is defective by
design - there might be several packets independently
sent to the network (for example HELLO, LSUPD and LSACK)
where they might be reordered and that causes crypt.
sequence number error.
That can be workarounded by not incresing sequence number
too often. Now we update it only when last packet was sent
before at least one second. This can constitute a risk of
replay attacks, but RFC supposes something similar (like time
in seconds used as CSN).
Diffstat (limited to 'proto/ospf/config.Y')
| -rw-r--r-- | proto/ospf/config.Y | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/proto/ospf/config.Y b/proto/ospf/config.Y index 00b6be7c..bfe2d9c8 100644 --- a/proto/ospf/config.Y +++ b/proto/ospf/config.Y @@ -19,6 +19,18 @@ static struct iface_patt *this_ipatt; static struct nbma_node *this_nbma; static struct area_net_config *this_pref; +static void +finish_iface_config(struct ospf_iface_patt *ip) +{ + ip->passwords = get_passwords(); + + if ((ip->autype == OSPF_AUTH_CRYPT) && (ip->helloint < 5)) + log(L_WARN "Hello or poll interval less that 5 makes cryptographic authenication prone to replay attacks"); + + if ((ip->autype == OSPF_AUTH_NONE) && (ip->passwords != NULL)) + log(L_WARN "Password option without authentication option does not make sense"); +} + CF_DECLS CF_KEYWORDS(OSPF, AREA, OSPF_METRIC1, OSPF_METRIC2, OSPF_TAG) @@ -83,7 +95,7 @@ ospf_area_item: ; ospf_vlink: - ospf_vlink_start '{' ospf_vlink_opts '}' { OSPF_PATT->passwords = get_passwords(); } + ospf_vlink_start '{' ospf_vlink_opts '}' { finish_iface_config(OSPF_PATT); } | ospf_vlink_start ; @@ -121,6 +133,7 @@ ospf_vlink_start: VIRTUAL LINK idval OSPF_PATT->type = OSPF_IT_VLINK; init_list(&OSPF_PATT->nbma_list); OSPF_PATT->autype = OSPF_AUTH_NONE; + reset_passwords(); } ; @@ -223,6 +236,7 @@ ospf_iface_start: OSPF_PATT->stub = 0; init_list(&OSPF_PATT->nbma_list); OSPF_PATT->autype = OSPF_AUTH_NONE; + reset_passwords(); } ; @@ -237,7 +251,7 @@ ospf_iface_opt_list: ; ospf_iface: - ospf_iface_start iface_patt ospf_iface_opt_list { OSPF_PATT->passwords = get_passwords(); } + ospf_iface_start iface_patt ospf_iface_opt_list { finish_iface_config(OSPF_PATT); } ; ospf_iface_list: |