#
4ff910d1 |
| 19-Jan-2021 |
claudio <claudio@openbsd.org> |
Adjust the disc_recv_packet() code to not use IBUF_READ_SIZE and to use a local recv_buf that is allocated on first call with malloc(). The memory returned from malloc() is properly aligned which may
Adjust the disc_recv_packet() code to not use IBUF_READ_SIZE and to use a local recv_buf that is allocated on first call with malloc(). The memory returned from malloc() is properly aligned which may not be the case for bss or stack memory.
show more ...
|
#
7ee91690 |
| 23-Jan-2019 |
dlg <dlg@openbsd.org> |
rework how tcp md5 signatures are configured.
previously ldpd only allowed tcp md5 to be configured against a neighbor (by ldp router id), but other vendors supported configuring tcp md5sig by prefi
rework how tcp md5 signatures are configured.
previously ldpd only allowed tcp md5 to be configured against a neighbor (by ldp router id), but other vendors supported configuring tcp md5sig by prefix as well as neighbor. this reworks the config so auth is maintained globally as a list of prefixes that you do and do not want to do tcp md5sig auth with.
the config statements look more like what is in bgpd.conf now too.
an example of the new config for interoperating with my baby cisco test network:
on ios:
mpls ldp password required for MPLS mpls ldp password option 1 for MPLS key-chain LDPAUTH
key chain LDPAUTH key 1 key-string secret
interface Loopback0 ip address 192.168.0.0 255.255.255.255 end
ip prefix-list MPLS seq 5 permit 192.168.0.0/24 ip access-list standard MPLS
mpls ldp router-id Loopback0 force
and in ldpd.conf:
router-id 192.168.0.25 tcp md5sig password secret 192.168.0.0/24 address-family ipv4 { interface vmx1 }
this still supports specifying tcp md5sig on neighbors, but that is syntactic sugar around adding entries to the list of auths.
ok (and lots of help from) claudio@
show more ...
|
#
3b4c1866 |
| 04-Mar-2017 |
renato <renato@openbsd.org> |
Implement RFC 5561 (LDP Capabilities).
This patch per-se doesn't introduce any useful functionality, but prepares the ground for new enhancements to ldpd (i.e. implementation of new RFCs that make u
Implement RFC 5561 (LDP Capabilities).
This patch per-se doesn't introduce any useful functionality, but prepares the ground for new enhancements to ldpd (i.e. implementation of new RFCs that make use of LDP capabilities).
show more ...
|
#
0101edf8 |
| 03-Mar-2017 |
renato <renato@openbsd.org> |
Kill send_notification_nbr().
Be more clever and trigger the PDU SENT event inside send_notification() when tcp->nbr is set. This way we can eliminate send_notification_nbr() and always use send_not
Kill send_notification_nbr().
Be more clever and trigger the PDU SENT event inside send_notification() when tcp->nbr is set. This way we can eliminate send_notification_nbr() and always use send_notification() instead.
show more ...
|
#
c31aa80e |
| 16-Jul-2016 |
renato <renato@openbsd.org> |
Remove potential overflow when validating message's length.
Also, use uint16_t for msg_type on gen_msg_hdr().
|
#
60e1e0e7 |
| 01-Jul-2016 |
renato <renato@openbsd.org> |
More renaming and whitespace cleanup.
No binary change after "strip -s".
|
#
d3e006a4 |
| 01-Jul-2016 |
renato <renato@openbsd.org> |
Several minor tweaks.
|
#
5ff72af8 |
| 01-Jul-2016 |
renato <renato@openbsd.org> |
Add GTSM support (RFC 6720).
This also finishes the missing bits from our RFC 7552 implementation because GTSM is mandatory for LDPv6.
To avoid any kind of interoperability problems, I included a f
Add GTSM support (RFC 6720).
This also finishes the missing bits from our RFC 7552 implementation because GTSM is mandatory for LDPv6.
To avoid any kind of interoperability problems, I included a few knobs to enable/disable GTSM on a per-address-family and per-neighbor basis. Cisco's LDPv6 implementation, for instance, doesn't support GTSM.
"reads good" claudio@
show more ...
|
#
e373a269 |
| 18-Jun-2016 |
renato <renato@openbsd.org> |
Fix removal of dual-stack neighbors.
|
#
c78471fc |
| 13-Jun-2016 |
renato <renato@openbsd.org> |
Implement a timeout for the session initialization FSM.
This prevents neighbors stuck in the initialization FSM to linger forever as long as the associated transport connection is up.
This timeout
Implement a timeout for the session initialization FSM.
This prevents neighbors stuck in the initialization FSM to linger forever as long as the associated transport connection is up.
This timeout can be seen in the 'Session Initialization State Transition Diagram' of RFC 5036. The RFC, however, doesn't specify how much we should wait. Let's use 180 seconds for that, the default LDP hold time.
Fixes IxANVL LDP test 6.15.
show more ...
|
#
20eeeb6f |
| 13-Jun-2016 |
renato <renato@openbsd.org> |
Rework the handling of Hello packets.
With the introduction of IPv6 support by RFC 7552, the handling of Hello packets in ldpd became something incredibly complex. Neighbors can change from single-s
Rework the handling of Hello packets.
With the introduction of IPv6 support by RFC 7552, the handling of Hello packets in ldpd became something incredibly complex. Neighbors can change from single-stack LDP to dual-stack and vice-versa. They can change their transport preference, their transport addresses (IPv4 and IPv6) and even start or stop sending the Dual-Stack TLV. We also have to take care to reject things like multiple adjacencies advertising different transport-addresses for the same neighbor. ldpd was failing for some of the cases mentioned above, this patch fixes these issues and attempts to make the code easier to read.
show more ...
|
#
96bde2a3 |
| 09-Jun-2016 |
renato <renato@openbsd.org> |
Do set the Message ID for Hello messages too.
In the original LDP specification, there was no circumstance where a Notification message could be sent in response to a Hello message. So setting the M
Do set the Message ID for Hello messages too.
In the original LDP specification, there was no circumstance where a Notification message could be sent in response to a Hello message. So setting the Message ID field for Hello packets was useless.
This changed with RFC 7552, where Hello packets can trigger the "Transport Connection Mismatch" notification when the local and remote transport preferences doesn't match. In this case, having a meaningful Message ID in the Hello packets can aid in testing and troubleshooting.
show more ...
|
#
05822608 |
| 09-Jun-2016 |
renato <renato@openbsd.org> |
Do not shut down the session upon receiving unknown messages.
RFC 5036 says the following about the receipt of unknown messages: "Unknown message bit. Upon receipt of an unknown message, if U is
Do not shut down the session upon receiving unknown messages.
RFC 5036 says the following about the receipt of unknown messages: "Unknown message bit. Upon receipt of an unknown message, if U is clear (=0), a notification is returned to the message originator; if U is set (=1), the unknown message is silently ignored".
We were correctly ignoring unknown messages when the U-bit was set. But when this bit was not set, we were shutting down the session when the correct thing to do is to just send a non-fatal notification message.
Fix IxANVL LDP test 22.13.
show more ...
|
#
07f78510 |
| 06-Jun-2016 |
renato <renato@openbsd.org> |
Speed up session establishment after config reload.
If we change a neighbor's password or the global transport-address, cancel the affected pending connects and, when playing the active role of the
Speed up session establishment after config reload.
If we change a neighbor's password or the global transport-address, cancel the affected pending connects and, when playing the active role of the session establishment process, try to connect again right away with the new password and/or transport-address.
Without this patch we have to wait for the timeout of the pending connects, which might be a lot of time.
show more ...
|
#
5dc9330a |
| 23-May-2016 |
renato <renato@openbsd.org> |
Update copyright information.
|
#
5411bbb6 |
| 23-May-2016 |
renato <renato@openbsd.org> |
Remove superfluous includes.
|
#
c28a25a1 |
| 23-May-2016 |
renato <renato@openbsd.org> |
Make functions and variables static whenever possible.
The benefits of this include: * clean up of the ldpd global namespace; * improved readability; * more hints to the compiler/linker to generate
Make functions and variables static whenever possible.
The benefits of this include: * clean up of the ldpd global namespace; * improved readability; * more hints to the compiler/linker to generate more efficient code.
Whenever possible, move global static variables to a smaller scope (function).
All extern variables are now declared in header files to avoid unnecessary duplication.
This patch also cleans up the indentation of all function prototypes and global variables.
show more ...
|
#
a8c39dc0 |
| 23-May-2016 |
renato <renato@openbsd.org> |
Add support for IPv6 (RFC 7552).
This includes: * Full compliance to RFC 7552; * Support for MD5 on LDPov6 sessions; * Support for pseudowires over IPv6 LSPs (we're probably the world's first impl
Add support for IPv6 (RFC 7552).
This includes: * Full compliance to RFC 7552; * Support for MD5 on LDPov6 sessions; * Support for pseudowires over IPv6 LSPs (we're probably the world's first implementation doing this); * Support for the IPv6 explicit-null label; * Knob to specify the prefered address-family for TCP transport connections; * Knob to use cisco non-compliant format to send and interpret the Dual-Stack capability TLV.
show more ...
|
#
3de94509 |
| 23-May-2016 |
renato <renato@openbsd.org> |
Fix mess caused by my commit script.
I screwed up everything... trying to fix now.
|
#
029cacd7 |
| 23-May-2016 |
renato <renato@openbsd.org> |
Move setsockopt helper functions to a separate file.
IPv6 support is coming and we don't want to pollute the interface.c file with too many of these helper functions.
Also, rename these functions f
Move setsockopt helper functions to a separate file.
IPv6 support is coming and we don't want to pollute the interface.c file with too many of these helper functions.
Also, rename these functions from if_set_* to sock_set_*.
show more ...
|
#
d99a8fc3 |
| 23-May-2016 |
renato <renato@openbsd.org> |
Standardize some log messages and fix some inconsistencies.
We were using several different names for the same thing in our log messages: neighbor, neighbor ID, nbr ID and LSR ID.
Standardize to al
Standardize some log messages and fix some inconsistencies.
We were using several different names for the same thing in our log messages: neighbor, neighbor ID, nbr ID and LSR ID.
Standardize to always use "lsr-id" to refer to a neighbor.
Also: * Use log_warnx() instead of log_warn() when appropriate; * Use fatal(x) instead of err(x) when appropriate; * Fix some inconsistent log messages.
show more ...
|
#
1ce5acab |
| 23-May-2016 |
renato <renato@openbsd.org> |
Make neighbor parameters per lsr-id not per transport-address.
With the advent of IPv6 support, a single neighbor can have two different transport-addresses: one for ipv4 and one for ipv6. In order
Make neighbor parameters per lsr-id not per transport-address.
With the advent of IPv6 support, a single neighbor can have two different transport-addresses: one for ipv4 and one for ipv6. In order to define neighbor-specific parameters in an indistinguishable way, define them by lsr-id. This way we can switch between LDPov4 and LDPov6 and keep the same configuration.
show more ...
|
#
35ee709d |
| 23-May-2016 |
renato <renato@openbsd.org> |
Rework the way we handle income connection requests.
The logic of the previous code was to accept all TCP connection requests (destined to port 646) and create a tcp_conn structure for each them. On
Rework the way we handle income connection requests.
The logic of the previous code was to accept all TCP connection requests (destined to port 646) and create a tcp_conn structure for each them. Once the first packet of a connection was received, we would analyze the LDP Initialization message and identify its origin by looking at the LSR-ID field.
When parsing a received TCP packet, we would need to distinguish between two cases: tcp packet from an LDP neighbor and tcp packet from a newborn connection (not associated with any neighbor yet). For this reason, the session_read() function was quite complicated.
Also, we were not keeping track of the allocated tcp_conn structures. So, we were subject to memory leaks and even DOS attacks.
With this patch, we also accept all TCP connection requests, but with two major differences: * We identify the neighbor by the source address of the SYN packet. This is possible because we don't support label spaces, so the transport-address by itself is enough to identify a neighbor, we don't need to wait for the Initialization message; * If there's no matching adjacency for this neighbor, then we start a timer of 5 seconds. If we receive a Hello packet from this neighbor within this interval, then we stop this timer and move on in the Initialization state machine. Otherwise, we send a No Hello Notification message and close the socket. We try to avoid sending the No Hello notification as much as possible because it triggers the backoff exponential in the remote peer, which considerably slow down the session establishment process.
In summary, this new approach allows for a simpler code and fixes the memory leak problem mentioned before.
show more ...
|
#
ac5a809b |
| 23-May-2016 |
renato <renato@openbsd.org> |
Several improvements in the parsing of UDP/Hello packets.
* Fix check of the packet's size and the "PDU Length" field; * Add check for the "Message Length" field; * Check for invalid labelspace earl
Several improvements in the parsing of UDP/Hello packets.
* Fix check of the packet's size and the "PDU Length" field; * Add check for the "Message Length" field; * Check for invalid labelspace earlier. * Use if_lookup() on disc_recv_iface() to reduce one level of identation;
Additionally, add the following safeguards: * Check for unicast link hellos; * Check for multicast targeted hellos; * Validate packet's source address; * Validate received transport-address.
Put the ancillary function bad_ip_addr() into a new file, util.c, which will be used later for several other things.
show more ...
|
#
871c7125 |
| 23-May-2016 |
renato <renato@openbsd.org> |
Don't ignore notification messages before the session is operational.
This was preventing us from triggering the backoff exponential timer after receiving a 'No Hello' notification.
|