Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Quagga: Dev

IPv6 BGP md5 password disappears on restart

  

 
Quagga dev RSS feed   Index | Next | Previous | View Threaded


rha at open

Aug 6, 2012, 5:44 AM

Post #1 of 4 (309 views)
Permalink
IPv6 BGP md5 password disappears on restart
Hi

This is a follow up on this old thread from 2009 from the users mailing
list:
http://www.gossamer-threads.com/lists/quagga/users/19443

I wrote a fix for the issue (see attachement). My fix does not change
the order of statements in the output of running config, as subliminally
suggested in those old mails. Instead, it tackles the problem at the
root by preventing group statements from purging individual passwords in
the first place.
This way the order of group and password statements is unimportant and
all scenarios are possible: peers with individual passwords overriding
group passwords; peers with individual passwords in groups without group
password, etc.

It also improves compatibility with custom scripts that perform
configuration changes automatically, as they no longer have to send
group statements before password statements.

Cheers,
Roman
Attachments: quagga-0.99.21-dont_loose_password.patch (1.85 KB)


equinox at opensourcerouting

Jan 14, 2013, 6:26 AM

Post #2 of 4 (164 views)
Permalink
Re: IPv6 BGP md5 password disappears on restart [In reply to]
On Mon, Aug 06, 2012 at 02:44:37PM +0200, Roman Hoog Antink wrote:
> This way the order of group and password statements is unimportant and
> all scenarios are possible: peers with individual passwords overriding
> group passwords; peers with individual passwords in groups without group
> password, etc.

[...]
> /* password apply */
> - if (peer->password)
> - XFREE (MTYPE_PEER_PASSWORD, peer->password);
> -
> if (conf->password)
> - peer->password = XSTRDUP (MTYPE_PEER_PASSWORD, conf->password);
> - else
> - peer->password = NULL;
> + {
> + XFREE (MTYPE_PEER_PASSWORD, peer->password);
> + peer->password = XSTRDUP (MTYPE_PEER_PASSWORD, conf->password);
> + }

Shouldn't this be "if (conf->password && !peer->password)"?

Even with your patch, if the peer-group has a password set, that will
override the peer's password, if it's set before the peer is added to
the peer group - or am I overlooking something?

-David
Attachments: signature.asc (0.22 KB)


rha at open

Jan 18, 2013, 6:04 AM

Post #3 of 4 (164 views)
Permalink
Re: IPv6 BGP md5 password disappears on restart [In reply to]
On 14.01.2013 15:26, David Lamparter wrote:
> On Mon, Aug 06, 2012 at 02:44:37PM +0200, Roman Hoog Antink wrote:
>> This way the order of group and password statements is unimportant and
>> all scenarios are possible: peers with individual passwords overriding
>> group passwords; peers with individual passwords in groups without group
>> password, etc.
>
> [...]
>> /* password apply */
>> - if (peer->password)
>> - XFREE (MTYPE_PEER_PASSWORD, peer->password);
>> -
>> if (conf->password)
>> - peer->password = XSTRDUP (MTYPE_PEER_PASSWORD, conf->password);
>> - else
>> - peer->password = NULL;
>> + {
>> + XFREE (MTYPE_PEER_PASSWORD, peer->password);
>> + peer->password = XSTRDUP (MTYPE_PEER_PASSWORD, conf->password);
>> + }
>
> Shouldn't this be "if (conf->password && !peer->password)"?
>
> Even with your patch, if the peer-group has a password set, that will
> override the peer's password, if it's set before the peer is added to
> the peer group - or am I overlooking something?
>
> -David
>

You are right. Besides, this improvement makes the XFREE unnecessary.
I attached the adapted patch against 0.99.21.

-Roman
Attachments: quagga-0.99.21.bgp-pw.patch (1.84 KB)
  signature.asc (0.29 KB)


equinox at opensourcerouting

Feb 23, 2013, 1:05 PM

Post #4 of 4 (96 views)
Permalink
Re: IPv6 BGP md5 password disappears on restart [In reply to]
On Fri, Jan 18, 2013 at 03:04:50PM +0100, Roman Hoog Antink wrote:
> On 14.01.2013 15:26, David Lamparter wrote:
> > On Mon, Aug 06, 2012 at 02:44:37PM +0200, Roman Hoog Antink wrote:
> >> This way the order of group and password statements is unimportant and
> >> all scenarios are possible: peers with individual passwords overriding
> >> group passwords; peers with individual passwords in groups without group
> >> password, etc.
> >
> > [...]
> >> /* password apply */
> >> - if (peer->password)
> >> - XFREE (MTYPE_PEER_PASSWORD, peer->password);
> >> -
> >> if (conf->password)
> >> - peer->password = XSTRDUP (MTYPE_PEER_PASSWORD, conf->password);
> >> - else
> >> - peer->password = NULL;
> >> + {
> >> + XFREE (MTYPE_PEER_PASSWORD, peer->password);
> >> + peer->password = XSTRDUP (MTYPE_PEER_PASSWORD, conf->password);
> >> + }
> >
> > Shouldn't this be "if (conf->password && !peer->password)"?
> >
> > Even with your patch, if the peer-group has a password set, that will
> > override the peer's password, if it's set before the peer is added to
> > the peer group - or am I overlooking something?
> >
> > -David
> >
>
> You are right. Besides, this improvement makes the XFREE unnecessary.
> I attached the adapted patch against 0.99.21.

Applied, Thanks!


> commit 2c56b7fb29edc4e87257f42d620928dcb790258a
> Author: Roman Hoog Antink <rha [at] open>
> Date: Fri Jan 18 13:52:03 2013 +0100
>
> bgpd: fix lost passwords of grouped neighbors
>
> This patch resolves the significance of order of group and password
> statements.
>
> It prevents passwords from being lost in cases where all
> three conditions apply:
> 1. the peer is member of a group with or without group password
> 2. the peer has an individual password set
> 3. the peer is added to a group within an address-family ipv6
> section
>
> In addition this patch prevents the same issue in cases, where an IPv4
> peer's password is set first and the peer is added to a group
> afterwards.
>
> Adding a peer to a group cancels his individual password. Without ipv6
> this is not a problem, because choosing the right order of config
> statements will do (set password only after adding peer to group).
>
> When adding the peer to a group within the address-family
> section, his password is definitely lost. The same workaround (ie.
> setting the password after the address-family section) can not be used,
> because "show run" will print the configuration statements in the wrong
> order.
>
> diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
> index 9c8eda8..61a4610 100644
> --- a/bgpd/bgpd.c
> +++ b/bgpd/bgpd.c
> @@ -1447,13 +1447,8 @@ peer_group2peer_config_copy (struct peer_group *group, struct peer *peer,
> peer->v_routeadv = BGP_DEFAULT_EBGP_ROUTEADV;
>
> /* password apply */
> - if (peer->password)
> - XFREE (MTYPE_PEER_PASSWORD, peer->password);
> -
> - if (conf->password)
> + if (conf->password && !peer->password)
> peer->password = XSTRDUP (MTYPE_PEER_PASSWORD, conf->password);
> - else
> - peer->password = NULL;
>
> bgp_md5_set (peer);
>




> _______________________________________________
> Quagga-dev mailing list
> Quagga-dev [at] lists
> http://lists.quagga.net/mailman/listinfo/quagga-dev
Attachments: signature.asc (0.22 KB)

Quagga dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.