search

FRRouting / frr

The FRRouting Protocol Suite
https://frrouting.org/
Other
3.27k stars 1.24k forks source link

OSPF HMAC-SHA256 authentication command "ip ospf authentication key-chain" is not functioning. #15560

Closed Alt0S04 closed 5 months ago

Alt0S04 commented 6 months ago

Description

Hello, after working on the compatibility between OSPF and DMVPN/NHRP ( #15171) I am now working on OSPF HMAC SHA256 authentication, nd I have followed the following example in your documentation. Unfortunately, when I try to use the command "ip ospf authentication key-chain," I cannot specify the key-chain in the command. When I view the help, it indicates that I can only use MD5 (message-digest).

Version

FRRouting 8.4.4 (Debian12) on Linux(6.1.0-18-amd64).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
configured with:
    '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--localstatedir=/var/run/frr' '--sbindir=/usr/lib/frr' '--sysconfdir=/etc/frr' '--with-vtysh-pager=/usr/bin/pager' '--libdir=/usr/lib/x86_64-linux-gnu/frr' '--with-moduledir=/usr/lib/x86_64-linux-gnu/frr/modules' '--disable-dependency-tracking' '--enable-rpki' '--disable-scripting' '--disable-pim6d' '--with-libpam' '--enable-doc' '--enable-doc-html' '--enable-snmp' '--enable-fpm' '--disable-protobuf' '--disable-zeromq' '--enable-ospfapi' '--enable-bgp-vnc' '--enable-multipath=256' '--enable-user=frr' '--enable-group=frr' '--enable-vty-group=frrvty' '--enable-configfile-mask=0640' '--enable-logfile-mask=0640' 'build_alias=x86_64-linux-gnu' 'PYTHON=python3'

How to reproduce

Example : 

r1(config)#key chain ospf
r1(config-keychain)#key 12
r1(config-keychain-key)#key-string myospf
r1(config-keychain-key)#cryptographic-algorithm hmac-sha-256

r1(config)#int eth0
r1(config-if)#ip ospf authentication key-chain ospf
r1(config-if)#ip ospf area 0

Not working command :

Debian12(config-if)# ip ospf authentication 
  <cr>            
  A.B.C.D         Address of interface
  message-digest  Use message-digest authentication
  null            Use null authentication

Expected behavior

I managed to configure a Cisco device with OSPF using HMAC-SHA256 authentication, but when it comes to FRR, the command mentioned in the documentation example doesn't work.

Actual behavior

No further information is available.

Additional context

No further information is available.

Checklist

aceelindem commented 6 months ago

OSPF Authentication using keychains is not supported in 8.4.4. This is the commit that brings it in: commit f5011cd5ddfd0eabe359d7013747823c6bd4ed3f Author: Mahdi Varasteh varasteh@amnesh.ir Date: Tue Sep 12 15:09:44 2023 +0330

[ospfd]: add support for RFC 5709 HMAC-SHA Auth

This patch includes:
* Implementation of RFC 5709 support in OSPF. Using
openssl library and FRR key-chain,
one can use SHA1, SHA256, SHA384, SHA512 and
keyed-MD5( backward compatibility with RFC 2328) HMAC algs.
* Updating documentation of OSPF
* add topotests for new HMAC algorithms

Signed-off-by: Mahdi Varasteh <varasteh@amnesh.ir>
Jafaral commented 5 months ago

this is fixed in a later version. please upgrade to the latest version.

aceelindem commented 5 months ago

The first stable release for this commit is: origin/stable/9.1

Thanks to Chris Hopps for the tip:

LabNs-MacBook-Pro:frr acee$ git branch -r --contains f5011cd | grep stable origin/mergify/bp/stable/9.1/pr-14554 origin/stable/9.1