EIGRP message-digest authentication does not work

[mruprich]

• When reporting a crash, provide a backtrace
• When pasting configs, logs, shell output, backtraces, and other large chunks of text use Markdown code blocks
• Include the FRR version; if you built from Git, please provide the commit hash
• Write your issue in English

---

Description When configuring EIGRP between two routers without authentication enabled, all works fine, neighborship is established and routes are exchanged. When md5 authentication is enabled on one router, this router still lists the other one as neighbour. The other one removes the neighbor from the list but never deletes the distributed route from the routing table. When md5 is enabled on both sides, no neighborship is established.

(put "x" in "[ ]" if you already tried following) [x] Did you check if this is a duplicate issue? [x] Did you test it on the latest FRRouting/frr master branch?

To Reproduce Steps to reproduce the behaviour:

1. Bring up EIGRP adjacency between two routers
2. Create loopback or dummy interfaces with IP addresses that will be distributed
3. Check the neighborship table and routing table and make sure that the adjacency works
4. Now enable message-digest authentication on router1 and check the neighbour and routing table on both routers again. Router1 still lists router2 as neighbour but not the other way around. Also, both routers still show routing information received via eigrp.
5. Enable message-digest authentication on router2. The adjacency is now broken on both sides and routing information is still not dropped from the routing table.

Expected behavior

1. With one side using authentication and one side not, no adjacency should be formed. EIGRP-originated routing info should be removed from the routing table.
2. With authentication enabled on both sides, adjacency should be formed and routing information placed in the routing table.

Versions

• OS Kernel: Linux 5.0.16-300 x86_64
• FRR Version 7.1

Additional context Output from the sample configuration: Authentication turned off:

router1# sh run
router eigrp 1
  network 10.0.136.0/22
  network 192.168.20.0/24

router1# sh ip eigrp nei
EIGRP neighbors for AS(1)
H   Address           Interface            Hold   Uptime   SRTT   RTO   Q     Seq
0   10.0.136.87       eth0                 11     0        0      2    0      2

router1# sh ip route
E   10.0.136.0/22 [90/28160] is directly connected, eth0, 00:13:27
E>* 192.168.2.0/24 [90/30720] via 10.0.136.87, eth0, 00:13:21 #from router2
E   192.168.20.0/24 [90/28160] is directly connected, dummy2, 00:02:23

router2# sh run
router eigrp 1
  network 10.0.136.0/22
  network 192.168.2.0/24

router2# sh ip eigrp nei
EIGRP neighbors for AS(1)
H   Address           Interface            Hold   Uptime   SRTT   RTO   Q     Seq  
0   10.0.136.125      eth0                 13      0        0      2    0      2

router2# sh ip route
E   10.0.136.0/22 [90/28160] is directly connected, eth0, 00:11:19
E   192.168.2.0/24 [90/28160] is directly connected, dummy1, 00:11:19
E>* 192.168.20.0/24 [90/30720] via 10.0.136.125, eth0, 00:00:19 #from router1

Authentication on router1 only:

router1# sh run
interface eth0
 ip authentication key-chain eigrp 1 eigrp
 ip authentication mode eigrp 1 md5

router eigrp 1
  network 10.0.136.0/22
  network 192.168.20.0/24

key chain eigrp
 key 1
  key-string secure_eigrp

router1# sh ip eigrp nei
EIGRP neighbors for AS(1)
H   Address           Interface            Hold   Uptime   SRTT   RTO   Q     Seq  
0   10.0.136.87       eth0                 11     0        0      2    0      2

router1# sh ip route
E   10.0.136.0/22 [90/28160] is directly connected, eth0, 00:15:46
E>* 192.168.2.0/24 [90/30720] via 10.0.136.87, eth0, 00:15:40 #from router2
E   192.168.20.0/24 [90/28160] is directly connected, dummy2, 00:04:42

router2# sh run
--- no changes here from previous example ---

router2# sh ip eigrp nei
EIGRP neighbors for AS(1)
H   Address           Interface            Hold   Uptime   SRTT   RTO   Q     Seq  
---empty---

router2# sh ip route
E   10.0.136.0/22 [90/28160] is directly connected, eth0, 00:15:39
E   192.168.2.0/24 [90/28160] is directly connected, dummy1, 00:15:39
E>* 192.168.20.0/24 [90/30720] via 10.0.136.125, eth0, 00:01:13 #from router1

Authentication on both sides:

router1# sh run
---same as previous example---

router1# sh ip eigrp nei
EIGRP neighbors for AS(1)
H   Address           Interface            Hold   Uptime   SRTT   RTO   Q     Seq 
---empty---

router1# sh ip route
E   10.0.136.0/22 [90/28160] is directly connected, eth0, 00:15:46
E>* 192.168.2.0/24 [90/30720] via 10.0.136.87, eth0, 00:15:40 #from router2
E   192.168.20.0/24 [90/28160] is directly connected, dummy2, 00:04:42

router2# sh run
interface eth0
 ip authentication key-chain eigrp 1 eigrp
 ip authentication mode eigrp 1 md5

router eigrp 1
 network 10.0.136.0/22 
 network 192.168.2.0/24 

key chain eigrp
 key 1
  key-string secure_eigrp

router2# sh ip eigrp nei
---still empty ---

router2# sh ip route
E   10.0.136.0/22 [90/28160] is directly connected, eth0, 00:19:13
E   192.168.2.0/24 [90/28160] is directly connected, dummy1, 00:19:13
E>* 192.168.20.0/24 [90/30720] via 10.0.136.125, eth0, 00:04:47 #from router1

[mruprich]

Note: the same behaviour is visible with hmac-sha-256 authentication. I can file a separate bug for this if you want.