diff options
| author | Ondrej Zajicek <santiago@crfreenet.org> | 2009-04-08 20:15:01 +0200 |
|---|---|---|
| committer | Ondrej Zajicek <santiago@crfreenet.org> | 2009-04-08 20:15:01 +0200 |
| commit | 024c310b537abc3ddbac3054de71fd759d422824 (patch) | |
| tree | 159cc669b9d16d2d97102c187320c800e376f710 /proto/ospf/ospf.h | |
| parent | b722fe7ebdf7e11f097ed0a85302769de2ac10fb (diff) | |
| download | bird-024c310b537abc3ddbac3054de71fd759d422824.tar bird-024c310b537abc3ddbac3054de71fd759d422824.zip | |
Fixes broken cryptographic authentication in OSPF
Cryptographic authentication in OSPF is defective by
design - there might be several packets independently
sent to the network (for example HELLO, LSUPD and LSACK)
where they might be reordered and that causes crypt.
sequence number error.
That can be workarounded by not incresing sequence number
too often. Now we update it only when last packet was sent
before at least one second. This can constitute a risk of
replay attacks, but RFC supposes something similar (like time
in seconds used as CSN).
Diffstat (limited to 'proto/ospf/ospf.h')
| -rw-r--r-- | proto/ospf/ospf.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/proto/ospf/ospf.h b/proto/ospf/ospf.h index 4e37c18..fb78af4 100644 --- a/proto/ospf/ospf.h +++ b/proto/ospf/ospf.h @@ -161,7 +161,8 @@ struct ospf_iface u16 autype; u16 helloint; /* number of seconds between hello sending */ list *passwords; - u32 csn; /* Crypt seq num. that will be sent net */ + u32 csn; /* Last used crypt seq number */ + bird_clock_t csn_use; /* Last time when packet with that CSN was sent */ ip_addr drip; /* Designated router */ u32 drid; ip_addr bdrip; /* Backup DR */ |