Enables Cisco style authentication on NHRP packets. This embeds the
plaintext password to the outgoing NHRP packets.
- Maximum length of the is 8 characters.
+ Maximum length of the password is 8 characters.
.. clicmd:: ip nhrp map A.B.C.D|X:X::X:X A.B.C.D|local
free(nifp->ipsec_fallback_profile);
if (nifp->source)
free(nifp->source);
+ if (nifp->auth_token)
+ zbuf_free(nifp->auth_token);
XFREE(MTYPE_NHRP_IF, ifp->info);
return 0;
}
}
- // auth ext was validated and copied from the request
+ /* auth ext was validated and copied from the request */
nhrp_packet_complete_auth(zb, hdr, ifp, false);
nhrp_peer_send(p->peer, zb);
err:
nhrp_ext_complete(zb, dst);
}
- // XXX: auth already handled ???
nhrp_packet_complete_auth(zb, hdr, pp->ifp, false);
nhrp_peer_send(p, zb);
zbuf_free(zb);
dst_proto = pp->src_proto;
}
/* Create reply */
- zb = zbuf_alloc(1500); // XXX: hardcode -> calculation routine
+ zb = zbuf_alloc(1500);
hdr = nhrp_packet_push(zb, NHRP_PACKET_ERROR_INDICATION, &pp->src_nbma,
&src_proto, &dst_proto);
- hdr->u.error.code = indication_code;
+ hdr->u.error.code = htons(indication_code);
hdr->u.error.offset = htons(offset);
hdr->flags = pp->hdr->flags;
- hdr->hop_count = 0; // XXX: cisco returns 255
+ hdr->hop_count = 0; /* XXX: cisco returns 255 */
/* Payload is the packet causing error */
/* Don`t add extension according to RFC */
- /* wireshark gives bad checksum, without exts */
- // pp->hdr->checksum = nhrp_packet_calculate_checksum(zbuf_used(&pp->payload))
zbuf_put(zb, pp->hdr, sizeof(*pp->hdr));
- zbuf_copy(zb, &pp->payload, zbuf_used(&pp->payload));
+ zbuf_put(zb, sockunion_get_addr(&pp->src_nbma),
+ hdr->src_nbma_address_len);
+ zbuf_put(zb, sockunion_get_addr(&pp->src_proto),
+ hdr->src_protocol_address_len);
+ zbuf_put(zb, sockunion_get_addr(&pp->dst_proto),
+ hdr->dst_protocol_address_len);
nhrp_packet_complete_auth(zb, hdr, pp->ifp, false);
- /* nhrp_packet_debug(zb, "SEND_ERROR"); */
nhrp_peer_send(pp->peer, zb);
zbuf_free(zb);
return 0;
struct zbuf *auth = nifp->auth_token;
struct nhrp_extension_header *ext;
struct zbuf *extensions, pl;
- int cmp = 0;
-
+ int cmp = 1;
extensions = zbuf_alloc(zbuf_used(&pp->extensions));
zbuf_copy_peek(extensions, &pp->extensions, zbuf_used(&pp->extensions));
auth->buf;
debugf(NHRP_DEBUG_COMMON,
"Processing Authentication Extension for (%s:%s|%d)",
- auth_ext->secret, (const char *)pl.buf, cmp);
+ auth_ext->secret,
+ ((struct nhrp_cisco_authentication_extension *)
+ pl.buf)
+ ->secret,
+ cmp);
+ break;
+ default:
+ /* Ignoring all received extensions except Authentication*/
break;
}
}
AFI_CMD "nhrp authentication PASSWORD$password",
AFI_STR
NHRP_STR
- "Specify plaint text password used for authenticantion\n"
+ "Specify plain text password used for authenticantion\n"
"Password, plain text, limited to 8 characters\n")
{
VTY_DECLVAR_CONTEXT(interface, ifp);
auth->type = htonl(NHRP_AUTHENTICATION_PLAINTEXT);
memcpy(auth->secret, password, pass_len);
- // XXX RFC: reset active (non-authorized) connections?
- /* vty_out(vty, "NHRP passwd (%s:%s)", nifp->ifp->name, auth->secret); */
return CMD_SUCCESS;
}
NO_STR
AFI_STR
NHRP_STR
- "Reset password used for authentication\n"
- "Password, plain text\n")
+ "Specify plain text password used for authenticantion\n"
+ "Password, plain text, limited to 8 characters\n")
{
VTY_DECLVAR_CONTEXT(interface, ifp);
struct nhrp_interface *nifp = ifp->info;
+
if (nifp->auth_token)
zbuf_free(nifp->auth_token);
return CMD_SUCCESS;
! debug nhrp all
interface r1-gre0
ip nhrp authentication secret
- ip nhrp holdtime 500
+ ip nhrp holdtime 10
ip nhrp shortcut
ip nhrp network-id 42
ip nhrp nhs dynamic nbma 10.2.1.2
nhrp nflog-group 1
interface r2-gre0
ip nhrp authentication secret
- ip nhrp holdtime 500
+ ip nhrp holdtime 10
ip nhrp redirect
ip nhrp network-id 42
ip nhrp registration no-unique
from lib import topotest
from lib.topogen import Topogen, TopoRouter, get_topogen
from lib.topolog import logger
-from lib.common_config import required_linux_kernel_version
+from lib.common_config import required_linux_kernel_version, retry
# Required to instantiate the topology builder class.
tgen.net[r].cmd("ip l del {}-gre0".format(r));
_populate_iface();
+ @retry(retry_timeout=40, initial_wait=5)
+ def verify_same_password():
+ output = ping_helper()
+ if "100 packets transmitted, 100 received" not in output:
+ assertmsg = "expected ping IPv4 from R1 to R2 should be ok"
+ assert 0, assertmsg
+ else:
+ logger.info("Check Ping IPv4 from R1 to R2 OK")
+
+ @retry(retry_timeout=40, initial_wait=5)
+ def verify_mismatched_password():
+ output = ping_helper()
+ if "Network is unreachable" not in output:
+ assertmsg = "expected ping IPv4 from R1 to R2 - should be down"
+ assert 0, assertmsg
+ else:
+ logger.info("Check Ping IPv4 from R1 to R2 missing - OK")
+
### Passwords are the same
logger.info("Check Ping IPv4 from R1 to R2 = 10.255.255.2")
- output = ping_helper()
- if "100 packets transmitted, 100 received" not in output:
- assertmsg = "expected ping IPv4 from R1 to R2 should be ok"
- assert 0, assertmsg
- else:
- logger.info("Check Ping IPv4 from R1 to R2 OK")
+ verify_same_password()
### Passwords are different
logger.info("Modify password and send ping again, should drop")
ip nhrp authentication secret12
""")
relink_session()
- topotest.sleep(10, "Waiting for session to initialize")
- output = ping_helper()
- if "Network is unreachable" not in output:
- assertmsg = "expected ping IPv4 from R1 to R2 - should be down"
- assert 0, assertmsg
- else:
- logger.info("Check Ping IPv4 from R1 to R2 missing - OK")
-
+ verify_mismatched_password()
+
### Passwords are the same - again
logger.info("Recover password and verify conectivity is back")
hubrouter.vtysh_cmd("""
ip nhrp authentication secret
""")
relink_session()
- topotest.sleep(10, "Waiting for session to initialize")
- output = pingrouter.run("ping 10.255.255.2 -f -c 100")
- logger.info(output)
- if "100 packets transmitted, 100 received" not in output:
- assertmsg = "expected ping IPv4 from R1 to R2 should be ok"
- assert 0, assertmsg
- else:
- logger.info("Check Ping IPv4 from R1 to R2 OK")
+ verify_same_password()
def test_route_install():
"Test use of NHRP routes by other protocols (sharpd here)."
projects / matthieu / frr.git / commitdiff