mirror of
https://git.proxmox.com/git/mirror_frr
synced 2025-08-13 19:39:28 +00:00
Make authentication of SNPs work correctly - ie. conditionally like it is in
IOS.
This commit is contained in:
hasso
parent
3dc56b5bd3
commit
1cbc562b0c
@ -1,3 +1,8 @@
|
|||||||
|
2005-01-01 Hasso Tepper <hasso at quagga.net>
|
||||||
|
|
||||||
|
* isis_common.h, isisd.c, isis_pdu.c: Implement authentication in
|
||||||
|
SNPs correctly - ie. make it conditional like it is in IOS.
|
||||||
|
|
||||||
2004-12-29 Hasso Tepper <hasso at quagga.net>
|
2004-12-29 Hasso Tepper <hasso at quagga.net>
|
||||||
|
|
||||||
* isis_circuit.c, isis_csm.c, isis_zebra.c: Don't crash during
|
* isis_circuit.c, isis_csm.c, isis_zebra.c: Don't crash during
|
||||||
|
|||||||
@ -37,6 +37,10 @@ struct isis_passwd
|
|||||||
#define ISIS_PASSWD_TYPE_CLEARTXT 1
|
#define ISIS_PASSWD_TYPE_CLEARTXT 1
|
||||||
#define ISIS_PASSWD_TYPE_PRIVATE 255
|
#define ISIS_PASSWD_TYPE_PRIVATE 255
|
||||||
u_char type;
|
u_char type;
|
||||||
|
/* Authenticate SNPs? */
|
||||||
|
#define SNP_AUTH_SEND 0x01
|
||||||
|
#define SNP_AUTH_RECV 0x02
|
||||||
|
u_char snp_auth;
|
||||||
u_char passwd[255];
|
u_char passwd[255];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@ -1270,10 +1270,7 @@ process_snp (int snp_type, int level, struct isis_circuit *circuit,
|
|||||||
struct listnode *node, *node2;
|
struct listnode *node, *node2;
|
||||||
struct tlvs tlvs;
|
struct tlvs tlvs;
|
||||||
struct list *lsp_list = NULL;
|
struct list *lsp_list = NULL;
|
||||||
/* TODO: Implement SNP authentication. */
|
|
||||||
#if 0
|
|
||||||
struct isis_passwd *passwd;
|
struct isis_passwd *passwd;
|
||||||
#endif
|
|
||||||
|
|
||||||
if (snp_type == ISIS_SNP_CSNP_FLAG)
|
if (snp_type == ISIS_SNP_CSNP_FLAG)
|
||||||
{
|
{
|
||||||
@ -1398,27 +1395,25 @@ process_snp (int snp_type, int level, struct isis_circuit *circuit,
|
|||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* FIXME: Authentication in LSPs does not mean authentication in SNPs...
|
if (level == 1)
|
||||||
* In fact by default IOS only deals with LSPs authentication!!
|
passwd = &circuit->area->area_passwd;
|
||||||
* To force authentication in SNPs, one must specify the 'authenticate
|
else
|
||||||
* snp' command after 'area-password WORD' or 'domain-password WORD'.
|
passwd = &circuit->area->domain_passwd;
|
||||||
* This command is not supported for the moment.
|
|
||||||
*/
|
if (CHECK_FLAG(passwd->snp_auth, SNP_AUTH_RECV))
|
||||||
#if 0
|
|
||||||
(level == 1) ? (passwd = &circuit->area->area_passwd) :
|
|
||||||
(passwd = &circuit->area->domain_passwd);
|
|
||||||
if (passwd->type)
|
|
||||||
{
|
{
|
||||||
if (!(found & TLVFLAG_AUTH_INFO) ||
|
if (passwd->type)
|
||||||
authentication_check (passwd, &tlvs.auth_info))
|
|
||||||
{
|
{
|
||||||
isis_event_auth_failure (circuit->area->area_tag,
|
if (!(found & TLVFLAG_AUTH_INFO) ||
|
||||||
"SNP authentication" " failure",
|
authentication_check (passwd, &tlvs.auth_info))
|
||||||
phdr ? phdr->source_id : chdr->source_id);
|
{
|
||||||
return ISIS_OK;
|
isis_event_auth_failure (circuit->area->area_tag,
|
||||||
|
"SNP authentication" " failure",
|
||||||
|
phdr ? phdr->source_id : chdr->source_id);
|
||||||
|
return ISIS_OK;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* 0 */
|
|
||||||
|
|
||||||
/* debug isis snp-packets */
|
/* debug isis snp-packets */
|
||||||
if (isis->debugs & DEBUG_SNP_PACKETS)
|
if (isis->debugs & DEBUG_SNP_PACKETS)
|
||||||
@ -2155,9 +2150,10 @@ build_csnp (int level, u_char * start, u_char * stop, struct list *lsps,
|
|||||||
else
|
else
|
||||||
passwd = &circuit->area->domain_passwd;
|
passwd = &circuit->area->domain_passwd;
|
||||||
|
|
||||||
if (passwd->type)
|
if (CHECK_FLAG(passwd->snp_auth, SNP_AUTH_SEND))
|
||||||
retval = tlv_add_authinfo (passwd->type, passwd->len,
|
if (passwd->type)
|
||||||
passwd->passwd, circuit->snd_stream);
|
retval = tlv_add_authinfo (passwd->type, passwd->len,
|
||||||
|
passwd->passwd, circuit->snd_stream);
|
||||||
|
|
||||||
if (!retval && lsps)
|
if (!retval && lsps)
|
||||||
{
|
{
|
||||||
@ -2305,9 +2301,10 @@ build_psnp (int level, struct isis_circuit *circuit, struct list *lsps)
|
|||||||
else
|
else
|
||||||
passwd = &circuit->area->domain_passwd;
|
passwd = &circuit->area->domain_passwd;
|
||||||
|
|
||||||
if (passwd->type)
|
if (CHECK_FLAG(passwd->snp_auth, SNP_AUTH_SEND))
|
||||||
retval = tlv_add_authinfo (passwd->type, passwd->len,
|
if (passwd->type)
|
||||||
passwd->passwd, circuit->snd_stream);
|
retval = tlv_add_authinfo (passwd->type, passwd->len,
|
||||||
|
passwd->passwd, circuit->snd_stream);
|
||||||
|
|
||||||
if (!retval && lsps)
|
if (!retval && lsps)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -1049,9 +1049,33 @@ DEFUN (area_passwd,
|
|||||||
area->area_passwd.type = ISIS_PASSWD_TYPE_CLEARTXT;
|
area->area_passwd.type = ISIS_PASSWD_TYPE_CLEARTXT;
|
||||||
strncpy ((char *)area->area_passwd.passwd, argv[0], 255);
|
strncpy ((char *)area->area_passwd.passwd, argv[0], 255);
|
||||||
|
|
||||||
|
if (argc > 1)
|
||||||
|
{
|
||||||
|
SET_FLAG(area->area_passwd.snp_auth, SNP_AUTH_SEND);
|
||||||
|
if (strncmp(argv[1], "v", 1) == 0)
|
||||||
|
SET_FLAG(area->area_passwd.snp_auth, SNP_AUTH_RECV);
|
||||||
|
else
|
||||||
|
UNSET_FLAG(area->area_passwd.snp_auth, SNP_AUTH_RECV);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
UNSET_FLAG(area->area_passwd.snp_auth, SNP_AUTH_SEND);
|
||||||
|
UNSET_FLAG(area->area_passwd.snp_auth, SNP_AUTH_RECV);
|
||||||
|
}
|
||||||
|
|
||||||
return CMD_SUCCESS;
|
return CMD_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ALIAS (area_passwd,
|
||||||
|
area_passwd_snpauth_cmd,
|
||||||
|
"area-password WORD authenticate snp (send-only|validate)",
|
||||||
|
"Configure the authentication password for an area\n"
|
||||||
|
"Area password\n"
|
||||||
|
"Authentication\n"
|
||||||
|
"SNP PDUs\n"
|
||||||
|
"Send but do not check PDUs on receiving\n"
|
||||||
|
"Send and check PDUs on receiving\n");
|
||||||
|
|
||||||
DEFUN (no_area_passwd,
|
DEFUN (no_area_passwd,
|
||||||
no_area_passwd_cmd,
|
no_area_passwd_cmd,
|
||||||
"no area-password",
|
"no area-password",
|
||||||
@ -1100,9 +1124,33 @@ DEFUN (domain_passwd,
|
|||||||
area->domain_passwd.type = ISIS_PASSWD_TYPE_CLEARTXT;
|
area->domain_passwd.type = ISIS_PASSWD_TYPE_CLEARTXT;
|
||||||
strncpy ((char *)area->domain_passwd.passwd, argv[0], 255);
|
strncpy ((char *)area->domain_passwd.passwd, argv[0], 255);
|
||||||
|
|
||||||
|
if (argc > 1)
|
||||||
|
{
|
||||||
|
SET_FLAG(area->domain_passwd.snp_auth, SNP_AUTH_SEND);
|
||||||
|
if (strncmp(argv[1], "v", 1) == 0)
|
||||||
|
SET_FLAG(area->domain_passwd.snp_auth, SNP_AUTH_RECV);
|
||||||
|
else
|
||||||
|
UNSET_FLAG(area->domain_passwd.snp_auth, SNP_AUTH_RECV);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
UNSET_FLAG(area->domain_passwd.snp_auth, SNP_AUTH_SEND);
|
||||||
|
UNSET_FLAG(area->domain_passwd.snp_auth, SNP_AUTH_RECV);
|
||||||
|
}
|
||||||
|
|
||||||
return CMD_SUCCESS;
|
return CMD_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ALIAS (domain_passwd,
|
||||||
|
domain_passwd_snpauth_cmd,
|
||||||
|
"domain-password WORD authenticate snp (send-only|validate)",
|
||||||
|
"Set the authentication password for a routing domain\n"
|
||||||
|
"Routing domain password\n"
|
||||||
|
"Authentication\n"
|
||||||
|
"SNP PDUs\n"
|
||||||
|
"Send but do not check PDUs on receiving\n"
|
||||||
|
"Send and check PDUs on receiving\n");
|
||||||
|
|
||||||
DEFUN (no_domain_passwd,
|
DEFUN (no_domain_passwd,
|
||||||
no_domain_passwd_cmd,
|
no_domain_passwd_cmd,
|
||||||
"no domain-password WORD",
|
"no domain-password WORD",
|
||||||
@ -1904,14 +1952,30 @@ isis_config_write (struct vty *vty)
|
|||||||
/* Authentication passwords. */
|
/* Authentication passwords. */
|
||||||
if (area->area_passwd.len > 0)
|
if (area->area_passwd.len > 0)
|
||||||
{
|
{
|
||||||
vty_out(vty, " area-password %s%s",
|
vty_out(vty, " area-password %s", area->area_passwd.passwd);
|
||||||
area->area_passwd.passwd, VTY_NEWLINE);
|
if (CHECK_FLAG(area->area_passwd.snp_auth, SNP_AUTH_SEND))
|
||||||
|
{
|
||||||
|
vty_out(vty, " authenticate snp ");
|
||||||
|
if (CHECK_FLAG(area->area_passwd.snp_auth, SNP_AUTH_RECV))
|
||||||
|
vty_out(vty, "validate");
|
||||||
|
else
|
||||||
|
vty_out(vty, "send-only");
|
||||||
|
}
|
||||||
|
vty_out(vty, "%s", VTY_NEWLINE);
|
||||||
write++;
|
write++;
|
||||||
}
|
}
|
||||||
if (area->domain_passwd.len > 0)
|
if (area->domain_passwd.len > 0)
|
||||||
{
|
{
|
||||||
vty_out(vty, " domain-password %s%s",
|
vty_out(vty, " domain-password %s", area->domain_passwd.passwd);
|
||||||
area->domain_passwd.passwd, VTY_NEWLINE);
|
if (CHECK_FLAG(area->domain_passwd.snp_auth, SNP_AUTH_SEND))
|
||||||
|
{
|
||||||
|
vty_out(vty, " authenticate snp ");
|
||||||
|
if (CHECK_FLAG(area->domain_passwd.snp_auth, SNP_AUTH_RECV))
|
||||||
|
vty_out(vty, "validate");
|
||||||
|
else
|
||||||
|
vty_out(vty, "send-only");
|
||||||
|
}
|
||||||
|
vty_out(vty, "%s", VTY_NEWLINE);
|
||||||
write++;
|
write++;
|
||||||
}
|
}
|
||||||
#ifdef TOPOLOGY_GENERATE
|
#ifdef TOPOLOGY_GENERATE
|
||||||
@ -2028,9 +2092,11 @@ isis_init ()
|
|||||||
install_element (ISIS_NODE, &no_is_type_cmd);
|
install_element (ISIS_NODE, &no_is_type_cmd);
|
||||||
|
|
||||||
install_element (ISIS_NODE, &area_passwd_cmd);
|
install_element (ISIS_NODE, &area_passwd_cmd);
|
||||||
|
install_element (ISIS_NODE, &area_passwd_snpauth_cmd);
|
||||||
install_element (ISIS_NODE, &no_area_passwd_cmd);
|
install_element (ISIS_NODE, &no_area_passwd_cmd);
|
||||||
|
|
||||||
install_element (ISIS_NODE, &domain_passwd_cmd);
|
install_element (ISIS_NODE, &domain_passwd_cmd);
|
||||||
|
install_element (ISIS_NODE, &domain_passwd_snpauth_cmd);
|
||||||
install_element (ISIS_NODE, &no_domain_passwd_cmd);
|
install_element (ISIS_NODE, &no_domain_passwd_cmd);
|
||||||
|
|
||||||
install_element (ISIS_NODE, &lsp_gen_interval_cmd);
|
install_element (ISIS_NODE, &lsp_gen_interval_cmd);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user