frr
frr copied to clipboard
FRRouting
FRR: Initial support for TCP Authentication Option
This contains the minimum required to show that TCP authentication can work between BGP peers.
The kernel part is still a RFC, this was posted here early mainly to get ABI feedback. This version was tested with https://github.com/cdleonard/linux/commits/tcp_authopt%4020210813T195209, ABI might change in the future. Since kernel changes are required CI is expected to fail.
Last netdev post is here: https://lore.kernel.org/netdev/[email protected]/
Some ABI issues:
- Maximum key length is fixed to 80, same as md5. Should this be dynamic?
- There is no kernel support for marking keys as "expired for send" or "expired for accept" but it's not clear how those keychain properties should map to TCP-AO.
- There is no prefixlen support (what MD5 gained in 4.14)
- Unsigned packets are accepted if neighbor has no keys configured. This means that if keychain is empty or all keys are expired linux default to "accept all" instead of "deny all"
For implementing key rollover there is already support in the kernel but not in these FRR patches. My best guess is that I should add a timer for "next key validity change event" and a frr hook for any keychain changes? The lib/tcp_authopt.[ch] layer was created in the idea that BGP and LDP and maybe others would share it.
RFC5925 warns against changing keys while in use but it's not clear the extent to which this should enforced at the vtysh level.
There are also a bunch of issues related to bgp code itself:
- Not clear how keys would be added when a listener restarts?
- I've only taken a brief look through frr developer guides so I probably missed a lot of stuff.
Outdated results 🚧
Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues
| _ | _ |
|---|---|
| Result | SUCCESS git merge/9442 27c81a77 |
| Date | 08/18/2021 |
| Start | 16:11:33 |
| Finish | 16:37:44 |
| Run-Time | 26:11 |
| Total | 1813 |
| Pass | 1813 |
| Fail | 0 |
| Valgrind-Errors | 0 |
| Valgrind-Loss | 2 |
| Details | vncregress-2021-08-18-16:11:33.txt |
| Log | autoscript-2021-08-18-16:12:47.log.bz2 |
| Memory | 490 508 424 |
For details, please contact louberger
Continuous Integration Result: FAILED
Continuous Integration Result: FAILED
See below for issues. CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/
This is a comment from an automated CI system. For questions and feedback in regards to this CI system, please feel free to email Martin Winter - mwinter (at) opensourcerouting.org.
Get source / Pull Request: Successful
Building Stage: Failed
NetBSD 8 amd64 build: Failed (click for details)
NetBSD 8 amd64 build: Unknown LogMake failed for NetBSD 8 amd64 build: (see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI012BUILD/ErrorLog/log_make.txt)
lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'
NetBSD 8 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI012BUILD/config.status/config.status
FreeBSD 11 amd64 build: Failed (click for details)
Make failed for FreeBSD 11 amd64 build: (see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/ErrorLog/log_make.txt)
lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
1033 | static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'
FreeBSD 11 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/config.status/config.status FreeBSD 11 amd64 build: Unknown Log <config.log.gz> URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/config.log/config.log.gz
OpenBSD 6 amd64 build: Failed (click for details)
Make failed for OpenBSD 6 amd64 build: (see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/ErrorLog/log_make.txt)
static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
3 warnings generated.
lib/keychain.c:1137:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
lib/keychain.c:1139:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
2 errors generated.
gmake[1]: *** [Makefile:9921: lib/keychain.lo] Error 1
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
OpenBSD 6 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/config.status/config.status OpenBSD 6 amd64 build: Unknown Log <config.log.gz> URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/config.log/config.log.gz
FreeBSD 12 amd64 build: Failed (click for details)
Make failed for FreeBSD 12 amd64 build: (see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/ErrorLog/log_make.txt)
lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'
FreeBSD 12 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/config.status/config.status FreeBSD 12 amd64 build: Unknown Log <config.log.gz> URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/config.log/config.log.gz
Successful on other platforms/tests
- Debian 9 amd64 build
- Ubuntu 18.04 ppc64le build
- Ubuntu 16.04 amd64 build
- Ubuntu 18.04 arm7 build
- Ubuntu 16.04 arm8 build
- Debian 11 amd64 build
- Ubuntu 20.04 amd64 build
- Ubuntu 16.04 i386 build
- Debian 10 amd64 build
- Fedora 29 amd64 build
- Ubuntu 18.04 arm8 build
- CentOS 7 amd64 build
- Ubuntu 18.04 i386 build
- Ubuntu 18.04 amd64 build
- Ubuntu 16.04 arm7 build
- CentOS 8 amd64 build
Warnings Generated during build:
Checkout code: Successful with additional warnings
NetBSD 8 amd64 build: Failed (click for details)
NetBSD 8 amd64 build: Unknown LogMake failed for NetBSD 8 amd64 build: (see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI012BUILD/ErrorLog/log_make.txt)
lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'
NetBSD 8 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI012BUILD/config.status/config.status
FreeBSD 11 amd64 build: Failed (click for details)
Make failed for FreeBSD 11 amd64 build: (see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/ErrorLog/log_make.txt)
lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
1033 | static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'
FreeBSD 11 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/config.status/config.status FreeBSD 11 amd64 build: Unknown Log <config.log.gz> URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI009BUILD/config.log/config.log.gz
OpenBSD 6 amd64 build: Failed (click for details)
Make failed for OpenBSD 6 amd64 build: (see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/ErrorLog/log_make.txt)
static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
3 warnings generated.
lib/keychain.c:1137:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
lib/keychain.c:1139:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
2 errors generated.
gmake[1]: *** [Makefile:9921: lib/keychain.lo] Error 1
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
OpenBSD 6 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/config.status/config.status OpenBSD 6 amd64 build: Unknown Log <config.log.gz> URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/CI011BUILD/config.log/config.log.gz
FreeBSD 12 amd64 build: Failed (click for details)
Make failed for FreeBSD 12 amd64 build: (see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/ErrorLog/log_make.txt)
lib/elf_py.c:1033:13: warning: 'elffile_add_dynreloc' defined but not used [-Wunused-function]
static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
lib/tcp_authopt.c:69:2: error: unknown type name '__u32'
lib/tcp_authopt.c:75:2: error: unknown type name '__u8'
lib/tcp_authopt.c:82:2: error: unknown type name '__u8'
lib/tcp_authopt.c:84:2: error: unknown type name '__u8'
lib/tcp_authopt.c:86:2: error: unknown type name '__u8'
lib/tcp_authopt.c:126:2: error: unknown type name '__u32'
lib/tcp_authopt.c:128:2: error: unknown type name '__u8'
FreeBSD 12 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/config.status/config.status FreeBSD 12 amd64 build: Unknown Log <config.log.gz> URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21196/artifact/FBSD12AMD64/config.log/config.log.gz
Report for bgpd.c | 8 issues
===============================================
< WARNING: line over 80 characters
< #5968: FILE: /tmp/f1-16516/bgpd.c:5968:
< WARNING: line over 80 characters
< #5973: FILE: /tmp/f1-16516/bgpd.c:5973:
< WARNING: else is not generally useful after a break or return
< #5983: FILE: /tmp/f1-16516/bgpd.c:5983:
< WARNING: line over 80 characters
< #6292: FILE: /tmp/f1-16516/bgpd.c:6292:
Report for bgpd.h | 4 issues
===============================================
< WARNING: line over 80 characters
< #1284: FILE: /tmp/f1-16516/bgpd.h:1284:
< WARNING: line over 80 characters
< #2173: FILE: /tmp/f1-16516/bgpd.h:2173:
Report for bgp_network.c | 10 issues
===============================================
< WARNING: line over 80 characters
< #243: FILE: /tmp/f1-16516/bgp_network.c:243:
< WARNING: line over 80 characters
< #246: FILE: /tmp/f1-16516/bgp_network.c:246:
< ERROR: spaces required around that ':' (ctx:VxW)
< #266: FILE: /tmp/f1-16516/bgp_network.c:266:
< WARNING: line over 80 characters
< #311: FILE: /tmp/f1-16516/bgp_network.c:311:
< WARNING: line over 80 characters
< #314: FILE: /tmp/f1-16516/bgp_network.c:314:
Report for bgp_network.h | 6 issues
===============================================
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #41: FILE: /tmp/f1-16516/bgp_network.h:41:
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #43: FILE: /tmp/f1-16516/bgp_network.h:43:
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #43: FILE: /tmp/f1-16516/bgp_network.h:43:
Report for bgp_vty.c | 2 issues
===============================================
< WARNING: braces {} are not necessary for any arm of this statement
< #13931: FILE: /tmp/f1-16516/bgp_vty.c:13931:
Report for keychain.c | 12 issues
===============================================
< WARNING: line over 80 characters
< #155: FILE: /tmp/f1-16516/keychain.c:155:
< WARNING: line over 80 characters
< #188: FILE: /tmp/f1-16516/keychain.c:188:
< WARNING: else is not generally useful after a break or return
< #1020: FILE: /tmp/f1-16516/keychain.c:1020:
< WARNING: line over 80 characters
< #1135: FILE: /tmp/f1-16516/keychain.c:1135:
< WARNING: line over 80 characters
< #1137: FILE: /tmp/f1-16516/keychain.c:1137:
< WARNING: line over 80 characters
< #1139: FILE: /tmp/f1-16516/keychain.c:1139:
Report for tcp_authopt.c | 161 issues
===============================================
WARNING: line over 80 characters
#34: FILE: /tmp/f1-16516/tcp_authopt.c:34:
+#define TCP_AUTHOPT 38 /* TCP Authentication Option (RFC5925) */
WARNING: line over 80 characters
#35: FILE: /tmp/f1-16516/tcp_authopt.c:35:
+#define TCP_AUTHOPT_KEY 39 /* TCP Authentication Option Key (RFC5925) */
WARNING: line over 80 characters
#44: FILE: /tmp/f1-16516/tcp_authopt.c:44:
+ * If this is set `tcp_authopt.local_send_id` is used to determined sending
WARNING: line over 80 characters
#57: FILE: /tmp/f1-16516/tcp_authopt.c:57:
+ * Configure behavior of segments with TCP-AO coming from hosts for which no
WARNING: line over 80 characters
#58: FILE: /tmp/f1-16516/tcp_authopt.c:58:
+ * key is configured. The default recommended by RFC is to silently accept
WARNING: line over 80 characters
#79: FILE: /tmp/f1-16516/tcp_authopt.c:79:
+ * This is controlled by the user iff TCP_AUTHOPT_FLAG_LOCK_RNEXTKEYID is
WARNING: line over 80 characters
#83: FILE: /tmp/f1-16516/tcp_authopt.c:83:
+ /** @recv_keyid: A recently-received keyid value. Only for getsockopt. */
WARNING: line over 80 characters
#85: FILE: /tmp/f1-16516/tcp_authopt.c:85:
+ /** @recv_rnextkeyid: A recently-received rnextkeyid value. Only for getsockopt. */
ERROR: "foo* bar" should be "foo *bar"
#148: FILE: /tmp/f1-16516/tcp_authopt.c:148:
+ struct tcp_authopt_key* keyopt,
ERROR: "foo* bar" should be "foo *bar"
#150: FILE: /tmp/f1-16516/tcp_authopt.c:150:
+ struct key* key)
WARNING: line over 80 characters
#165: FILE: /tmp/f1-16516/tcp_authopt.c:165:
+static int tcp_authopt_keychain_add(int sock, union sockunion *su, struct keychain *keychain)
ERROR: that open brace { should be on the previous line
#181: FILE: /tmp/f1-16516/tcp_authopt.c:181:
+ for (ALL_LIST_ELEMENTS_RO(keychain->key, node, key))
+ {
WARNING: line over 80 characters
#186: FILE: /tmp/f1-16516/tcp_authopt.c:186:
+ /* Linux implementation doesn't allow marking keys as expired so only add
WARNING: line over 80 characters
#212: FILE: /tmp/f1-16516/tcp_authopt.c:212:
+ if (setsockopt(sock, IPPROTO_TCP, TCP_AUTHOPT_KEY, &keyopt, sizeof(keyopt)) < 0) {
WARNING: line over 80 characters
#213: FILE: /tmp/f1-16516/tcp_authopt.c:213:
+ zlog_warn("setsockopt TCP_AUTHOPT_KEY: %s", safe_strerror(errno));
WARNING: line over 80 characters
#219: FILE: /tmp/f1-16516/tcp_authopt.c:219:
+ /* Currently kernel accepts everything if no keys are added for an
WARNING: line over 80 characters
#220: FILE: /tmp/f1-16516/tcp_authopt.c:220:
+ * address. This means that if all keys fail unsigned packets will be
WARNING: line over 80 characters
#223: FILE: /tmp/f1-16516/tcp_authopt.c:223:
+ zlog_warn("No valid tcp_authopt keys added from keychain %s", keychain->name);
WARNING: line over 80 characters
#230: FILE: /tmp/f1-16516/tcp_authopt.c:230:
+static int tcp_authopt_keychain_del(int sock, union sockunion *su, struct keychain *keychain)
ERROR: that open brace { should be on the previous line
#242: FILE: /tmp/f1-16516/tcp_authopt.c:242:
+ for (ALL_LIST_ELEMENTS_RO(keychain->key, node, key))
+ {
WARNING: line over 80 characters
#249: FILE: /tmp/f1-16516/tcp_authopt.c:249:
+ if (setsockopt(sock, IPPROTO_TCP, TCP_AUTHOPT_KEY, &keyopt, sizeof(keyopt)) < 0) {
WARNING: line over 80 characters
#253: FILE: /tmp/f1-16516/tcp_authopt.c:253:
+ zlog_warn("setsockopt TCP_AUTHOPT_KEY_DEL unexpected error: %s", safe_strerror(errno));
WARNING: line over 80 characters
#300: FILE: /tmp/f1-16516/tcp_authopt.c:300:
+ if (user->keychain_name && keychain_name && !strcmp(user->keychain_name, keychain_name))
WARNING: line over 80 characters
#315: FILE: /tmp/f1-16516/tcp_authopt.c:315:
+ tcp_authopt_keychain_del(user->sock, &user->su, keychain);
WARNING: Missing a blank line after declarations
#340: FILE: /tmp/f1-16516/tcp_authopt.c:340:
+ char addrbuf[SU_ADDRSTRLEN];
+ if (user->sock == sock && 0 == memcmp(&user->su, su, sizeof(*su)))
ERROR: that open brace { should be on the previous line
#400: FILE: /tmp/f1-16516/tcp_authopt.c:400:
+ if (err == ENOPROTOOPT)
+ {
ERROR: that open brace { should be on the previous line
#405: FILE: /tmp/f1-16516/tcp_authopt.c:405:
+ if (err == ENOENT)
+ {
ERROR: that open brace { should be on the previous line
#410: FILE: /tmp/f1-16516/tcp_authopt.c:410:
+ if (err)
+ {
WARNING: line over 80 characters
#412: FILE: /tmp/f1-16516/tcp_authopt.c:412:
+ vty_out(vty, "TCP Authentication Option unexpected getsockopt err: %s\n", safe_strerror(errno));
WARNING: quoted string split across lines
#416: FILE: /tmp/f1-16516/tcp_authopt.c:416:
+ vty_out(vty, "TCP Authentication Option Enabled:"
+ " keyid %hhu"
WARNING: quoted string split across lines
#417: FILE: /tmp/f1-16516/tcp_authopt.c:417:
+ " keyid %hhu"
+ " rnextkeyid %hhu"
WARNING: quoted string split across lines
#418: FILE: /tmp/f1-16516/tcp_authopt.c:418:
+ " rnextkeyid %hhu"
+ " recv_keyid %hhu"
WARNING: quoted string split across lines
#419: FILE: /tmp/f1-16516/tcp_authopt.c:419:
+ " recv_keyid %hhu"
+ " recv_rnextkeyid %hhu\n",
ERROR: "foo* bar" should be "foo *bar"
#432: FILE: /tmp/f1-16516/tcp_authopt.c:432:
+ struct json_object* jo;
ERROR: that open brace { should be on the previous line
#441: FILE: /tmp/f1-16516/tcp_authopt.c:441:
+ if (err == ENOPROTOOPT)
+ {
ERROR: that open brace { should be on the previous line
#446: FILE: /tmp/f1-16516/tcp_authopt.c:446:
+ if (err == ENOENT)
+ {
ERROR: that open brace { should be on the previous line
#451: FILE: /tmp/f1-16516/tcp_authopt.c:451:
+ if (err)
+ {
Outdated results 🛑
Basic BGPD CI results: FAILURE
| _ | _ |
|---|---|
| Result | 08/19/2021 |
| Date | 11:01:34 |
| Start | 11:28:41 |
| Finish | 27:07 |
| Run-Time | 1736 |
| Total | 1735 |
| Pass | 1 |
| Fail | 21 |
| Valgrind-Errors | 67 |
| Valgrind-Loss | 313 |
| Details | vncregress-2021-08-19-11:01:34.txt |
| Log | autoscript-2021-08-19-11:02:47.log.bz2 |
| Memory | 503 499 426 |
| FAILURE git merge/9442 0aa41dc9 Autoscript |
For details, please contact louberger
Continuous Integration Result: FAILED
See below for issues. CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/
This is a comment from an automated CI system. For questions and feedback in regards to this CI system, please feel free to email Martin Winter - mwinter (at) opensourcerouting.org.
Get source / Pull Request: Successful
Building Stage: Failed
CentOS 7 amd64 build: Failed (click for details)
CentOS 7 amd64 build: Unknown LogOpenBSD 6 amd64 build: Failed (click for details)
Make failed for OpenBSD 6 amd64 build: (see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/ErrorLog/log_make.txt)
static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
3 warnings generated.
lib/keychain.c:1137:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
lib/keychain.c:1139:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
2 errors generated.
gmake[1]: *** [Makefile:9921: lib/keychain.lo] Error 1
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".
OpenBSD 6 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/config.status/config.status OpenBSD 6 amd64 build: Unknown Log <config.log.gz> URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/config.log/config.log.gz
Fedora 29 amd64 build: Failed (click for details)
Fedora 29 amd64 build: Unknown LogCentOS 8 amd64 build: Failed (click for details)
CentOS 8 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CENTOS8BUILD/config.status/config.status CentOS 8 amd64 build: Unknown LogSuccessful on other platforms/tests
- Ubuntu 16.04 i386 build
- NetBSD 8 amd64 build
- Debian 9 amd64 build
- Ubuntu 16.04 amd64 build
- Ubuntu 18.04 amd64 build
- Ubuntu 20.04 amd64 build
- Ubuntu 18.04 arm7 build
- Debian 11 amd64 build
- Ubuntu 18.04 arm8 build
- Ubuntu 18.04 ppc64le build
- Ubuntu 16.04 arm8 build
- FreeBSD 11 amd64 build
- Ubuntu 16.04 arm7 build
- Ubuntu 18.04 i386 build
- Debian 10 amd64 build
- FreeBSD 12 amd64 build
Warnings Generated during build:
Checkout code: Successful with additional warnings
CentOS 7 amd64 build: Failed (click for details)
CentOS 7 amd64 build: Unknown LogOpenBSD 6 amd64 build: Failed (click for details)
Make failed for OpenBSD 6 amd64 build: (see full Make log at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/ErrorLog/log_make.txt)
static void elffile_add_dynreloc(struct elffile *w, Elf_Data *reldata,
3 warnings generated.
lib/keychain.c:1137:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
lib/keychain.c:1139:50: error: format specifies type 'unsigned char' but the argument has type 'int' [-Werror,-Wformat]
2 errors generated.
gmake[1]: *** [Makefile:9921: lib/keychain.lo] Error 1
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".
/home/ci/cibuild.21225/frr-source/doc/user/zebra.rst:23: SEVERE: Duplicate ID: "cmdoption-configure-arg-net".
OpenBSD 6 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/config.status/config.status OpenBSD 6 amd64 build: Unknown Log <config.log.gz> URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CI011BUILD/config.log/config.log.gz
Fedora 29 amd64 build: Failed (click for details)
Fedora 29 amd64 build: Unknown LogCentOS 8 amd64 build: Failed (click for details)
CentOS 8 amd64 build: config.status output from configure script can be found at https://ci1.netdef.org/browse/FRR-FRRPULLREQ-21225/artifact/CENTOS8BUILD/config.status/config.status CentOS 8 amd64 build: Unknown LogReport for bgpd.c | 8 issues
===============================================
< WARNING: line over 80 characters
< #5968: FILE: /tmp/f1-25409/bgpd.c:5968:
< WARNING: line over 80 characters
< #5973: FILE: /tmp/f1-25409/bgpd.c:5973:
< WARNING: else is not generally useful after a break or return
< #5983: FILE: /tmp/f1-25409/bgpd.c:5983:
< WARNING: line over 80 characters
< #6292: FILE: /tmp/f1-25409/bgpd.c:6292:
Report for bgpd.h | 4 issues
===============================================
< WARNING: line over 80 characters
< #1284: FILE: /tmp/f1-25409/bgpd.h:1284:
< WARNING: line over 80 characters
< #2173: FILE: /tmp/f1-25409/bgpd.h:2173:
Report for bgp_network.c | 10 issues
===============================================
< WARNING: line over 80 characters
< #243: FILE: /tmp/f1-25409/bgp_network.c:243:
< WARNING: line over 80 characters
< #246: FILE: /tmp/f1-25409/bgp_network.c:246:
< ERROR: spaces required around that ':' (ctx:VxW)
< #266: FILE: /tmp/f1-25409/bgp_network.c:266:
< WARNING: line over 80 characters
< #311: FILE: /tmp/f1-25409/bgp_network.c:311:
< WARNING: line over 80 characters
< #314: FILE: /tmp/f1-25409/bgp_network.c:314:
Report for bgp_network.h | 6 issues
===============================================
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #41: FILE: /tmp/f1-25409/bgp_network.h:41:
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #43: FILE: /tmp/f1-25409/bgp_network.h:43:
< WARNING: function definition argument 'struct peer *' should also have an identifier name
< #43: FILE: /tmp/f1-25409/bgp_network.h:43:
Report for bgp_vty.c | 2 issues
===============================================
< WARNING: braces {} are not necessary for any arm of this statement
< #13931: FILE: /tmp/f1-25409/bgp_vty.c:13931:
Report for keychain.c | 12 issues
===============================================
< WARNING: line over 80 characters
< #155: FILE: /tmp/f1-25409/keychain.c:155:
< WARNING: line over 80 characters
< #188: FILE: /tmp/f1-25409/keychain.c:188:
< WARNING: else is not generally useful after a break or return
< #1020: FILE: /tmp/f1-25409/keychain.c:1020:
< WARNING: line over 80 characters
< #1135: FILE: /tmp/f1-25409/keychain.c:1135:
< WARNING: line over 80 characters
< #1137: FILE: /tmp/f1-25409/keychain.c:1137:
< WARNING: line over 80 characters
< #1139: FILE: /tmp/f1-25409/keychain.c:1139:
Report for tcp_authopt.c | 141 issues
===============================================
ERROR: "foo* bar" should be "foo *bar"
#34: FILE: /tmp/f1-25409/tcp_authopt.c:34:
+ struct tcp_authopt_key* keyopt,
ERROR: "foo* bar" should be "foo *bar"
#36: FILE: /tmp/f1-25409/tcp_authopt.c:36:
+ struct key* key)
WARNING: line over 80 characters
#51: FILE: /tmp/f1-25409/tcp_authopt.c:51:
+static int tcp_authopt_keychain_add(int sock, union sockunion *su, struct keychain *keychain)
ERROR: that open brace { should be on the previous line
#67: FILE: /tmp/f1-25409/tcp_authopt.c:67:
+ for (ALL_LIST_ELEMENTS_RO(keychain->key, node, key))
+ {
WARNING: line over 80 characters
#72: FILE: /tmp/f1-25409/tcp_authopt.c:72:
+ /* Linux implementation doesn't allow marking keys as expired so only add
WARNING: line over 80 characters
#98: FILE: /tmp/f1-25409/tcp_authopt.c:98:
+ if (setsockopt(sock, IPPROTO_TCP, TCP_AUTHOPT_KEY, &keyopt, sizeof(keyopt)) < 0) {
WARNING: line over 80 characters
#99: FILE: /tmp/f1-25409/tcp_authopt.c:99:
+ zlog_warn("setsockopt TCP_AUTHOPT_KEY: %s", safe_strerror(errno));
WARNING: line over 80 characters
#105: FILE: /tmp/f1-25409/tcp_authopt.c:105:
+ /* Currently kernel accepts everything if no keys are added for an
WARNING: line over 80 characters
#106: FILE: /tmp/f1-25409/tcp_authopt.c:106:
+ * address. This means that if all keys fail unsigned packets will be
WARNING: line over 80 characters
#109: FILE: /tmp/f1-25409/tcp_authopt.c:109:
+ zlog_warn("No valid tcp_authopt keys added from keychain %s", keychain->name);
WARNING: line over 80 characters
#116: FILE: /tmp/f1-25409/tcp_authopt.c:116:
+static int tcp_authopt_keychain_del(int sock, union sockunion *su, struct keychain *keychain)
ERROR: that open brace { should be on the previous line
#128: FILE: /tmp/f1-25409/tcp_authopt.c:128:
+ for (ALL_LIST_ELEMENTS_RO(keychain->key, node, key))
+ {
WARNING: line over 80 characters
#135: FILE: /tmp/f1-25409/tcp_authopt.c:135:
+ if (setsockopt(sock, IPPROTO_TCP, TCP_AUTHOPT_KEY, &keyopt, sizeof(keyopt)) < 0) {
WARNING: line over 80 characters
#139: FILE: /tmp/f1-25409/tcp_authopt.c:139:
+ zlog_warn("setsockopt TCP_AUTHOPT_KEY_DEL unexpected error: %s", safe_strerror(errno));
WARNING: line over 80 characters
#149: FILE: /tmp/f1-25409/tcp_authopt.c:149:
+static int tcp_authopt_keychain_add(int sock, union sockunion *su, struct keychain *keychain)
WARNING: line over 80 characters
#154: FILE: /tmp/f1-25409/tcp_authopt.c:154:
+static int tcp_authopt_keychain_del(int sock, union sockunion *su, struct keychain *keychain)
WARNING: line over 80 characters
#197: FILE: /tmp/f1-25409/tcp_authopt.c:197:
+ if (user->keychain_name && keychain_name && !strcmp(user->keychain_name, keychain_name))
WARNING: line over 80 characters
#212: FILE: /tmp/f1-25409/tcp_authopt.c:212:
+ tcp_authopt_keychain_del(user->sock, &user->su, keychain);
WARNING: Missing a blank line after declarations
#237: FILE: /tmp/f1-25409/tcp_authopt.c:237:
+ char addrbuf[SU_ADDRSTRLEN];
+ if (user->sock == sock && 0 == memcmp(&user->su, su, sizeof(*su)))
ERROR: that open brace { should be on the previous line
#298: FILE: /tmp/f1-25409/tcp_authopt.c:298:
+ if (err == -ENOPROTOOPT)
+ {
ERROR: that open brace { should be on the previous line
#303: FILE: /tmp/f1-25409/tcp_authopt.c:303:
+ if (err == -ENOENT)
+ {
ERROR: that open brace { should be on the previous line
#308: FILE: /tmp/f1-25409/tcp_authopt.c:308:
+ if (err)
+ {
WARNING: line over 80 characters
#310: FILE: /tmp/f1-25409/tcp_authopt.c:310:
+ vty_out(vty, "TCP Authentication Option unexpected getsockopt err: %s\n", safe_strerror(-err));
WARNING: quoted string split across lines
#314: FILE: /tmp/f1-25409/tcp_authopt.c:314:
+ vty_out(vty, "TCP Authentication Option Enabled:"
+ " keyid %hhu"
WARNING: quoted string split across lines
#315: FILE: /tmp/f1-25409/tcp_authopt.c:315:
+ " keyid %hhu"
+ " rnextkeyid %hhu"
WARNING: quoted string split across lines
#316: FILE: /tmp/f1-25409/tcp_authopt.c:316:
+ " rnextkeyid %hhu"
+ " recv_keyid %hhu"
WARNING: quoted string split across lines
#317: FILE: /tmp/f1-25409/tcp_authopt.c:317:
+ " recv_keyid %hhu"
+ " recv_rnextkeyid %hhu\n",
ERROR: "foo* bar" should be "foo *bar"
#330: FILE: /tmp/f1-25409/tcp_authopt.c:330:
+ struct json_object* jo;
ERROR: that open brace { should be on the previous line
#339: FILE: /tmp/f1-25409/tcp_authopt.c:339:
+ if (err == -ENOPROTOOPT)
+ {
ERROR: that open brace { should be on the previous line
#344: FILE: /tmp/f1-25409/tcp_authopt.c:344:
+ if (err == -ENOENT)
+ {
ERROR: that open brace { should be on the previous line
#349: FILE: /tmp/f1-25409/tcp_authopt.c:349:
+ if (err)
+ {
ERROR: "foo* bar" should be "foo *bar"
#368: FILE: /tmp/f1-25409/tcp_authopt.c:368:
+ struct json_object* jo;
Outdated results 🚧
Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues
| _ | _ |
|---|---|
| Result | SUCCESS git merge/9442 ab300d93 |
| Date | 08/19/2021 |
| Start | 16:36:32 |
| Finish | 17:02:54 |
| Run-Time | 26:22 |
| Total | 1813 |
| Pass | 1813 |
| Fail | 0 |
| Valgrind-Errors | 0 |
| Valgrind-Loss | 2 |
| Details | vncregress-2021-08-19-16:36:32.txt |
| Log | autoscript-2021-08-19-16:37:42.log.bz2 |
| Memory | 506 487 421 |
For details, please contact louberger
Any chance for this to use the XFRM infrastructure, i.e. setsockopt(..., IP_XFRM_POLICY, ...) rather than yet another new sockopt? (and socket(AF_NETLINK, ..., NETLINK_XFRM) for key management?)
This ABI mirrors TCP_MD5SIG because the standard is very directly intended to replace TCP-MD5. TCP sockopts are very easy to use and not at all scarce so why not use them?
I'm not very familiar with XFRM so I'd have to investigate how that could be used here. As far as I understand xfrm is meant for "global" config which matches and transforms all packets matching certain criteria, this would be very different from my approach where TCP-AO configuration only exists at the socket level. My approach seems to match the intent behind RFC5925; they describe user interface recommendations which are all per-connection. Are you expecting TCP-AO to "match" packets based on global config?
Another related issue is that on netdev people asked to use generic algorithm definitions similar to xfrm instead of an enum based on just what RFC5926 describes. I am very reluctant to add so much general functionality. Link: https://lore.kernel.org/netdev/CAJwJo6aicw_KGQSM5U1=0X11QfuNf2dMATErSymytmpf75W=tA@mail.gmail.com/
Posted v3 of kernel changes to netdev: https://lore.kernel.org/netdev/[email protected]/
You can send ABI feedback there as well.
Fixed tcp-authopt property handling in peer groups (using test_peer_attr). Also fix overlapping flag with graceful-restart.
Style warnings apparently here: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-CHECKOUT-21406/log
Lots of "lines over 80 characters", maybe you should follow the kernel and invest in 100-column terminals? :)
Outdated results 🚧
Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues
| _ | _ |
|---|---|
| Result | SUCCESS git merge/9442 9bf7a8b0 |
| Date | 08/26/2021 |
| Start | 12:19:06 |
| Finish | 12:45:13 |
| Run-Time | 26:07 |
| Total | 1813 |
| Pass | 1813 |
| Fail | 0 |
| Valgrind-Errors | 0 |
| Valgrind-Loss | 2 |
| Details | vncregress-2021-08-26-12:19:06.txt |
| Log | autoscript-2021-08-26-12:20:20.log.bz2 |
| Memory | 486 492 416 |
For details, please contact louberger
Outdated results 🚧
Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues
| _ | _ |
|---|---|
| Result | SUCCESS git merge/9442 482881e9 |
| Date | 08/26/2021 |
| Start | 16:29:24 |
| Finish | 16:55:41 |
| Run-Time | 26:17 |
| Total | 1816 |
| Pass | 1816 |
| Fail | 0 |
| Valgrind-Errors | 0 |
| Valgrind-Loss | 2 |
| Details | vncregress-2021-08-26-16:29:24.txt |
| Log | autoscript-2021-08-26-16:30:38.log.bz2 |
| Memory | 509 511 427 |
For details, please contact louberger
This ABI mirrors TCP_MD5SIG because the standard is very directly intended to replace TCP-MD5. TCP sockopts are very easy to use and not at all scarce so why not use them?
I would've preferred that TCP_MD5SIG use the XFRM setsockopt too ;)
I'm not very familiar with XFRM so I'd have to investigate how that could be used here. As far as I understand xfrm is meant for "global" config which matches and transforms all packets matching certain criteria, this would be very different from my approach where TCP-AO configuration only exists at the socket level. My approach seems to match the intent behind RFC5925; they describe user interface recommendations which are all per-connection. Are you expecting TCP-AO to "match" packets based on global config?
You can set a socket policy with setsockopt(fd, … IP_XFRM_POLICY …); this is how IPsec for OSPF would be handled too (which we don't currently support…) If I'm not completely mistaken, IP_XFRM_POLICY only handles the actual policy, with keys being handled separately over the "global" XFRM interface.
My thought was simply that it would be nice to have the same interface for IPsec AH (for OSPF & co.) and TCP-AO (for BGP & LDP) [and maybe even TCP-MD5.] But I don't know if it's really the "right thing", I just want to know if you considered it (and maybe what was the reason against it.)
I have not considered XFRM in detail because I'm not familiar with the xfrm API. I read the ipsec RFCs some years ago and I remember them poorly.
You're right that neighbor 1.2.3.4 tcp-authopt AAAA is sort-of like an SA with the remote peer. In theory it might be possible to configure such associations with netlink and have them affect all sockets.
This is more complex to implement but in theory it would work even for unmodified applications. I don't think there are notable interactions between TCP and XFRM in the kernel, XFRM is mostly at the IP level. Attaching all keys to sockets instead of making them global objects made my implementation a lot easier!
I'm not sure how IP_XFRM_POLICY would apply here. There would still be a need to make multiple TCP-AO keychains apply to a listen socket.
A sockopt would still be used in order to get/set the keyids currently being used on the connection: this is a requirement of RFC5925. Maybe some sort of netlink interface could also be provided (like tcp_info) but that would be complimentary and mostly used by administrative tools. The application handling the connect would still use sockopts on the FD.
Looking through failures reported by bamboo a lot of the issues are crashes related to my code in tests that should not be affected. Need to run locally and fix.
@riw777 I don't currently intend to move forward on FRR changes beyond this is a proof-of-concept stage.
My real focus is strictly to get the required kernel changes in.
I've also had a discussion with @ppaeps about actually making keys global which would simplify userspace handling.
This PR is stale because it has been open 180 days with no activity. Comment or remove the autoclose label in order to avoid having this PR closed.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This PR is stale because it has been open 180 days with no activity. Comment or remove the
autocloselabel in order to avoid having this PR closed.
Please don't close this github. It's stale but I might restore it.
On a side note how is getting the tcp-A0 into the kernel going? I have not been paying attention but it should be on my radar
A different unrelated kernel implementation was posted upstream: https://lore.kernel.org/netdev/[email protected]/
ABI feedback might be useful.
Posted v8 upstream: https://lore.kernel.org/netdev/[email protected]/
Major difference is that key rollover can now be handled entirely inside the kernel so this would greatly simplify userspace (no more timers required).
Outdated results 🚧
Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues
| _ | _ |
|---|---|
| Result | SUCCESS git pull/9442 482881e93 (merge failed) |
| Date | 09/20/2022 |
| Start | 03:45:47 |
| Finish | 04:11:54 |
| Run-Time | 26:07 |
| Total | 1813 |
| Pass | 1813 |
| Fail | 0 |
| Valgrind-Errors | 0 |
| Valgrind-Loss | 2 |
| Details | vncregress-2022-09-20-03:45:47.txt |
| Log | autoscript-2022-09-20-03:46:55.log.bz2 |
| Memory | 517 516 428 |
For details, please contact louberger
🚧 Basic BGPD CI results: Partial FAILURE, 0 tests failed, has VALGRIND issues
Results table
| _ | _ |
|---|---|
| Result | SUCCESS git pull/9442 482881e93 (merge failed) |
| Date | 09/20/2022 |
| Start | 04:12:18 |
| Finish | 04:38:37 |
| Run-Time | 26:19 |
| Total | 1813 |
| Pass | 1813 |
| Fail | 0 |
| Valgrind-Errors | 0 |
| Valgrind-Loss | 2 |
| Details | vncregress-2022-09-20-04:12:18.txt |
| Log | autoscript-2022-09-20-04:13:30.log.bz2 |
| Memory | 515 507 426 |
For details, please contact louberger
This pull request has conflicts, please resolve those before we can evaluate the pull request.
@cdleonard -> looks like tcp-ao got into the kernel. Any possibility you can pick this up again?
@cdleonard -> looks like tcp-ao got into the kernel. Any possibility you can pick this up again?
Sorry but no (notice how I closed the PR). Somebody else should probably rewrite this from scratch.