mirrors/bird
mirrors/bird
0
0
Fork 0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-11-09 20:58:44 +00:00
Code Releases Activity

Merge commit 'ee919658' into thread-next-iface

Browse Source
This commit is contained in:
Maria Matejka 2023-04-14 13:42:42 +02:00
commit ea30d596d3
5 changed files with 143 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
doc/bird.sgml
View File

@ -1954,6 +1954,7 @@ protocol babel [<name>] {
check link <switch>;
next hop ipv4 <address>;
next hop ipv6 <address>;
extended next hop <switch>;
authentication none|mac [permissive];
password "&lt;text&gt;";
password "&lt;text&gt;" {
@ -2058,6 +2059,11 @@ protocol babel [<name>] {
source for Babel packets will be used. In normal operation, it should not
be necessary to set this option.
<tag><label id="babel-extended-next-hop">extended next hop <m/switch/</tag>
If enabled, BIRD will accept and emit IPv4 routes with an IPv6 next
hop when IPv4 addresses are absent from the interface as described in
<rfc id="9229">. Default: yes.
<tag><label id="babel-authentication">authentication none|mac [permissive]</tag>
Selects authentication method to be used. <cf/none/ means that packets
are not authenticated at all, <cf/mac/ means MAC authentication is

56
proto/babel/babel.c
View File

@ -1002,8 +1002,18 @@ babel_send_update_(struct babel_iface *ifa, btime changed, struct fib *rtable)
msg.update.router_id = e->router_id;
net_copy(&msg.update.net, e->n.addr);
msg.update.next_hop = ((e->n.addr->type == NET_IP4) ?
ifa->next_hop_ip4 : ifa->next_hop_ip6);
if (e->n.addr->type == NET_IP4)
{
/* Always prefer IPv4 nexthop if set */
if (ipa_nonzero(ifa->next_hop_ip4))
msg.update.next_hop = ifa->next_hop_ip4;
/* Only send IPv6 nexthop if enabled */
else if (ifa->cf->ext_next_hop)
msg.update.next_hop = ifa->next_hop_ip6;
}
else
msg.update.next_hop = ifa->next_hop_ip6;
/* Do not send route if next hop is unknown, e.g. no configured IPv4 address */
if (ipa_zero(msg.update.next_hop))
@ -1262,6 +1272,13 @@ babel_handle_update(union babel_msg *m, struct babel_iface *ifa)
return;
}
/* Reject IPv4 via IPv6 routes if disabled */
if ((msg->net.type == NET_IP4) && ipa_is_ip6(msg->next_hop) && !ifa->cf->ext_next_hop)
{
DBG("Babel: Ignoring disabled IPv4 via IPv6 route.\n");
return;
}
/* Retraction */
if (msg->metric == BABEL_INFINITY)
{
@ -1548,7 +1565,8 @@ babel_auth_check_pc(struct babel_iface *ifa, struct babel_msg_auth *msg)
n->auth_index_len = msg->index_len;
memcpy(n->auth_index, msg->index, msg->index_len);
n->auth_pc = msg->pc;
n->auth_pc_unicast = msg->pc;
n->auth_pc_multicast = msg->pc;
n->auth_passed = 1;
return 1;
@ -1567,16 +1585,30 @@ babel_auth_check_pc(struct babel_iface *ifa, struct babel_msg_auth *msg)
return 0;
}
/* (6) Index matches; only accept if PC is greater than last */
if (n->auth_pc >= msg->pc)
/*
* (6) Index matches; only accept if PC is greater than last. We keep separate
* counters for unicast and multicast because multicast packets can be delayed
* significantly on wireless networks (enough to be received out of order).
* Separate counters are safe because the packet destination address is part
* of the MAC pseudo-header (so unicast packets can't be replayed as multicast
* and vice versa).
*/
u32 auth_pc = msg->unicast ? n->auth_pc_unicast : n->auth_pc_multicast;
if (auth_pc >= msg->pc)
{
LOG_PKT_AUTH("Authentication failed for %I on %s - "
"lower packet counter (rcv %u, old %u)",
msg->sender, ifa->ifname, msg->pc, n->auth_pc);
"lower %s packet counter (rcv %u, old %u)",
msg->sender, ifa->ifname,
msg->unicast ? "unicast" : "multicast",
msg->pc, auth_pc);
return 0;
}
n->auth_pc = msg->pc;
if (msg->unicast)
n->auth_pc_unicast = msg->pc;
else
n->auth_pc_multicast = msg->pc;
n->auth_passed = 1;
return 1;
@ -1728,7 +1760,7 @@ babel_iface_update_addr4(struct babel_iface *ifa)
ip_addr addr4 = ifa->iface->addr4 ? ifa->iface->addr4->ip : IPA_NONE;
ifa->next_hop_ip4 = ipa_nonzero(ifa->cf->next_hop_ip4) ? ifa->cf->next_hop_ip4 : addr4;
if (ipa_zero(ifa->next_hop_ip4) && p->ip4_channel)
if (ipa_zero(ifa->next_hop_ip4) && p->ip4_channel && !ifa->cf->ext_next_hop)
log(L_WARN "%s: Missing IPv4 next hop address for %s", p->p.name, ifa->ifname);
if (ifa->up)
@ -1805,8 +1837,8 @@ babel_add_iface(struct babel_proto *p, struct iface *new, struct babel_iface_con
ifa->next_hop_ip4 = ipa_nonzero(ic->next_hop_ip4) ? ic->next_hop_ip4 : addr4;
ifa->next_hop_ip6 = ipa_nonzero(ic->next_hop_ip6) ? ic->next_hop_ip6 : ifa->addr;
if (ipa_zero(ifa->next_hop_ip4) && p->ip4_channel)
log(L_WARN "%s: Missing IPv4 next hop address for %s", p->p.name, new->name);
if (ipa_zero(ifa->next_hop_ip4) && p->ip4_channel && !ic->ext_next_hop)
log(L_WARN "%s: Missing IPv4 next hop address for %s", p->p.name, ifa->ifname);
init_list(&ifa->neigh_list);
ifa->hello_seqno = 1;
@ -1929,7 +1961,7 @@ babel_reconfigure_iface(struct babel_proto *p, struct babel_iface *ifa, struct b
if ((new->auth_type != BABEL_AUTH_NONE) && (new->auth_type != old->auth_type))
babel_auth_reset_index(ifa);
if (ipa_zero(ifa->next_hop_ip4) && p->ip4_channel)
if (ipa_zero(ifa->next_hop_ip4) && p->ip4_channel && !new->ext_next_hop)
log(L_WARN "%s: Missing IPv4 next hop address for %s", p->p.name, ifa->ifname);
if (ifa->next_hello > (current_time() + new->hello_interval))

8
proto/babel/babel.h
View File

@ -110,6 +110,7 @@ enum babel_ae_type {
BABEL_AE_IP4 = 1,
BABEL_AE_IP6 = 2,
BABEL_AE_IP6_LL = 3,
BABEL_AE_IP4_VIA_IP6 = 4,
BABEL_AE_MAX
};
@ -143,8 +144,9 @@ struct babel_iface_config {
ip_addr next_hop_ip4;
ip_addr next_hop_ip6;
u8 ext_next_hop; /* Enable IPv4 via IPv6 */
u8 auth_type; /* Authentication type (BABEL_AUTH_*) */
u8 auth_type; /* Authentication type (BABEL_AUTH_*) */
u8 auth_permissive; /* Don't drop packets failing auth check */
uint mac_num_keys; /* Number of configured HMAC keys */
uint mac_total_len; /* Total digest length for all configured keys */
@ -223,7 +225,8 @@ struct babel_neighbor {
u16 next_hello_seqno;
uint last_hello_int;
u32 auth_pc;
u32 auth_pc_unicast;
u32 auth_pc_multicast;
u8 auth_passed;
u8 auth_index_len;
u8 auth_index[BABEL_AUTH_INDEX_LEN];
@ -401,6 +404,7 @@ struct babel_msg_auth {
u8 challenge_seen;
u8 challenge_len;
u8 challenge[BABEL_AUTH_MAX_NONCE_LEN];
u8 unicast;
};
static inline int babel_sadr_enabled(struct babel_proto *p)

5
proto/babel/config.Y
View File

@ -25,7 +25,8 @@ CF_DECLS
CF_KEYWORDS(BABEL, INTERFACE, METRIC, RXCOST, HELLO, UPDATE, INTERVAL, PORT,
TYPE, WIRED, WIRELESS, RX, TX, BUFFER, PRIORITY, LENGTH, CHECK, LINK,
NEXT, HOP, IPV4, IPV6, SHOW, INTERFACES, NEIGHBORS,
ENTRIES, RANDOMIZE, ROUTER, ID, AUTHENTICATION, NONE, MAC, PERMISSIVE)
ENTRIES, RANDOMIZE, ROUTER, ID, AUTHENTICATION, NONE, MAC, PERMISSIVE,
EXTENDED)
CF_GRAMMAR
@ -67,6 +68,7 @@ babel_iface_start:
BABEL_IFACE->tx_tos = IP_PREC_INTERNET_CONTROL;
BABEL_IFACE->tx_priority = sk_priority_control;
BABEL_IFACE->check_link = 1;
BABEL_IFACE->ext_next_hop = 1;
};
@ -143,6 +145,7 @@ babel_iface_item:
| CHECK LINK bool { BABEL_IFACE->check_link = $3; }
| NEXT HOP IPV4 ipa { BABEL_IFACE->next_hop_ip4 = $4; if (!ipa_is_ip4($4)) cf_error("Must be an IPv4 address"); }
| NEXT HOP IPV6 ipa { BABEL_IFACE->next_hop_ip6 = $4; if (!ipa_is_ip6($4)) cf_error("Must be an IPv6 address"); }
| EXTENDED NEXT HOP bool { BABEL_IFACE->ext_next_hop = $4; }
| AUTHENTICATION NONE { BABEL_IFACE->auth_type = BABEL_AUTH_NONE; }
| AUTHENTICATION MAC { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; BABEL_IFACE->auth_permissive = 0; }
| AUTHENTICATION MAC PERMISSIVE { BABEL_IFACE->auth_type = BABEL_AUTH_MAC; BABEL_IFACE->auth_permissive = 1; }

116
proto/babel/packets.c
View File

@ -166,10 +166,12 @@ struct babel_parse_state {
ip_addr next_hop_ip6;
u64 router_id; /* Router ID used in subsequent updates */
u8 def_ip6_prefix[16]; /* Implicit IPv6 prefix in network order */
u8 def_ip4_prefix[4]; /* Implicit IPv4 prefix in network order */
u8 def_ip4_prefix[4]; /* Implicit IPv4 prefix (AE 1) in network order */
u8 def_ip4_via_ip6_prefix[4]; /* Implicit IPv4 prefix (AE 4) in network order */
u8 router_id_seen; /* router_id field is valid */
u8 def_ip6_prefix_seen; /* def_ip6_prefix is valid */
u8 def_ip4_prefix_seen; /* def_ip4_prefix is valid */
u8 def_ip4_via_ip6_prefix_seen; /* def_ip4_via_ip6_prefix is valid */
u8 current_tlv_endpos; /* End of self-terminating TLVs (offset from start) */
u8 sadr_enabled;
u8 is_unicast;
@ -515,9 +517,6 @@ babel_read_ihu(struct babel_tlv *hdr, union babel_msg *m,
msg->addr = IPA_NONE;
msg->sender = state->saddr;
if (msg->ae >= BABEL_AE_MAX)
return PARSE_IGNORE;
/*
* We only actually read link-local IPs. In every other case, the addr field
* will be 0 but validation will succeed. The handler takes care of these
@ -526,17 +525,20 @@ babel_read_ihu(struct babel_tlv *hdr, union babel_msg *m,
*/
switch (msg->ae)
{
case BABEL_AE_WILDCARD:
return PARSE_SUCCESS;
case BABEL_AE_IP4:
if (TLV_OPT_LENGTH(tlv) < 4)
return PARSE_ERROR;
state->current_tlv_endpos += 4;
break;
return PARSE_SUCCESS;
case BABEL_AE_IP6:
if (TLV_OPT_LENGTH(tlv) < 16)
return PARSE_ERROR;
state->current_tlv_endpos += 16;
break;
return PARSE_SUCCESS;
case BABEL_AE_IP6_LL:
if (TLV_OPT_LENGTH(tlv) < 8)
@ -544,10 +546,17 @@ babel_read_ihu(struct babel_tlv *hdr, union babel_msg *m,
msg->addr = ipa_from_ip6(get_ip6_ll(&tlv->addr));
state->current_tlv_endpos += 8;
break;
return PARSE_SUCCESS;
/* RFC 9229 2.4 - IHU TLV MUST NOT carry the AE 4 (IPv4-via-IPv6) */
case BABEL_AE_IP4_VIA_IP6:
return PARSE_ERROR;
default:
return PARSE_IGNORE;
}
return PARSE_SUCCESS;
return PARSE_IGNORE;
}
static uint
@ -640,6 +649,10 @@ babel_read_next_hop(struct babel_tlv *hdr, union babel_msg *m UNUSED,
state->current_tlv_endpos += 8;
return PARSE_IGNORE;
/* RFC 9229 2.4 - Next Hop TLV MUST NOT carry the AE 4 (IPv4-via-IPv6) */
case BABEL_AE_IP4_VIA_IP6:
return PARSE_ERROR;
default:
return PARSE_IGNORE;
}
@ -692,6 +705,42 @@ babel_write_next_hop(struct babel_tlv *hdr, ip_addr addr,
return 0;
}
/* This is called directly from babel_read_update() to handle
both BABEL_AE_IP4 and BABEL_AE_IP4_VIA_IP6 encodings */
static int
babel_read_ip4_prefix(struct babel_tlv_update *tlv, struct babel_msg_update *msg,
u8 *def_prefix, u8 *def_prefix_seen, ip_addr next_hop, int len)
{
if (tlv->plen > IP4_MAX_PREFIX_LENGTH)
return PARSE_ERROR;
/* Cannot omit data if there is no saved prefix */
if (tlv->omitted && !*def_prefix_seen)
return PARSE_ERROR;
/* Update must have next hop, unless it is retraction */
if (ipa_zero(next_hop) && msg->metric != BABEL_INFINITY)
return PARSE_ERROR;
/* Merge saved prefix and received prefix parts */
u8 buf[4] = {};
memcpy(buf, def_prefix, tlv->omitted);
memcpy(buf + tlv->omitted, tlv->addr, len);
ip4_addr prefix4 = get_ip4(buf);
net_fill_ip4(&msg->net, prefix4, tlv->plen);
if (tlv->flags & BABEL_UF_DEF_PREFIX)
{
put_ip4(def_prefix, prefix4);
*def_prefix_seen = 1;
}
msg->next_hop = next_hop;
return PARSE_SUCCESS;
}
static int
babel_read_update(struct babel_tlv *hdr, union babel_msg *m,
struct babel_parse_state *state)
@ -706,11 +755,11 @@ babel_read_update(struct babel_tlv *hdr, union babel_msg *m,
/* Length of received prefix data without omitted part */
int len = BYTES(tlv->plen) - (int) tlv->omitted;
u8 buf[16] = {};
if ((len < 0) || ((uint) len > TLV_OPT_LENGTH(tlv)))
return PARSE_ERROR;
int rc;
switch (tlv->ae)
{
case BABEL_AE_WILDCARD:
@ -724,31 +773,20 @@ babel_read_update(struct babel_tlv *hdr, union babel_msg *m,
break;
case BABEL_AE_IP4:
if (tlv->plen > IP4_MAX_PREFIX_LENGTH)
return PARSE_ERROR;
rc = babel_read_ip4_prefix(tlv, msg, state->def_ip4_prefix,
&state->def_ip4_prefix_seen,
state->next_hop_ip4, len);
if (rc != PARSE_SUCCESS)
return rc;
/* Cannot omit data if there is no saved prefix */
if (tlv->omitted && !state->def_ip4_prefix_seen)
return PARSE_ERROR;
break;
/* Update must have next hop, unless it is retraction */
if (ipa_zero(state->next_hop_ip4) && (msg->metric != BABEL_INFINITY))
return PARSE_IGNORE;
/* Merge saved prefix and received prefix parts */
memcpy(buf, state->def_ip4_prefix, tlv->omitted);
memcpy(buf + tlv->omitted, tlv->addr, len);
ip4_addr prefix4 = get_ip4(buf);
net_fill_ip4(&msg->net, prefix4, tlv->plen);
if (tlv->flags & BABEL_UF_DEF_PREFIX)
{
put_ip4(state->def_ip4_prefix, prefix4);
state->def_ip4_prefix_seen = 1;
}
msg->next_hop = state->next_hop_ip4;
case BABEL_AE_IP4_VIA_IP6:
rc = babel_read_ip4_prefix(tlv, msg, state->def_ip4_via_ip6_prefix,
&state->def_ip4_via_ip6_prefix_seen,
state->next_hop_ip6, len);
if (rc != PARSE_SUCCESS)
return rc;
break;
@ -761,6 +799,7 @@ babel_read_update(struct babel_tlv *hdr, union babel_msg *m,
return PARSE_ERROR;
/* Merge saved prefix and received prefix parts */
u8 buf[16] = {};
memcpy(buf, state->def_ip6_prefix, tlv->omitted);
memcpy(buf + tlv->omitted, tlv->addr, len);
@ -863,7 +902,7 @@ babel_write_update(struct babel_tlv *hdr, union babel_msg *m,
}
else if (msg->net.type == NET_IP4)
{
tlv->ae = BABEL_AE_IP4;
tlv->ae = ipa_is_ip4(msg->next_hop) ? BABEL_AE_IP4 : BABEL_AE_IP4_VIA_IP6;
tlv->plen = net4_pxlen(&msg->net);
put_ip4_px(tlv->addr, &msg->net);
}
@ -931,7 +970,12 @@ babel_read_route_request(struct babel_tlv *hdr, union babel_msg *m,
msg->full = 1;
return PARSE_SUCCESS;
/*
* RFC 9229 2.3 - When receiving requests, AE 1 (IPv4) and AE 4
* (IPv4-via-IPv6) MUST be treated in the same manner.
*/
case BABEL_AE_IP4:
case BABEL_AE_IP4_VIA_IP6:
if (tlv->plen > IP4_MAX_PREFIX_LENGTH)
return PARSE_ERROR;
@ -1032,7 +1076,12 @@ babel_read_seqno_request(struct babel_tlv *hdr, union babel_msg *m,
case BABEL_AE_WILDCARD:
return PARSE_ERROR;
/*
* RFC 9229 2.3 - When receiving requests, AE 1 (IPv4) and AE 4
* (IPv4-via-IPv6) MUST be treated in the same manner.
*/
case BABEL_AE_IP4:
case BABEL_AE_IP4_VIA_IP6:
if (tlv->plen > IP4_MAX_PREFIX_LENGTH)
return PARSE_ERROR;
@ -1655,6 +1704,7 @@ babel_read_pc(struct babel_tlv *hdr, union babel_msg *m UNUSED,
state->auth.pc_seen = 1;
state->auth.index_len = index_len;
state->auth.index = tlv->index;
state->auth.unicast = state->is_unicast;
state->current_tlv_endpos += index_len;
return PARSE_SUCCESS;