[ripd] bugs #261, #262: Fix RIPv1 info-leak and unauthenticated route updates
2006-05-04 Paul Jakma <paul.jakma@sun.com>
* (general) Fixes for bugs #261 and 262. Thanks to
Konstantin V. Gavrilenko <kos@arhont.com> for the problem
reports, testing of a series of proposed patches and comment
on the proposed changes in behaviour.
* rip_interface.c: (ip_rip_authentication_mode_cmd) Parse all
of the command before making any changes to configured state.
* ripd.c: (rip_read) RIP version control should be absolute and
always apply, fixes bug #261 by allowing RIPv1 to be disabled.
Fix bug #262: If authentication is enabled, then
unauthenticated packets should not be accepted. We do however
make an exception for RIPv1 REQUEST packets, to which we will
reply as RIPv1 can now be disabled fully, to allow ripd to
still provide routing /information/ to simple devices.
diff --git a/ripd/ripd.c b/ripd/ripd.c
index e91adb8..518e486 100644
--- a/ripd/ripd.c
+++ b/ripd/ripd.c
@@ -1936,35 +1936,29 @@
return -1;
}
- /* RIP Version check. */
- if (packet->command == RIP_RESPONSE)
+ /* RIP Version check. RFC2453, 4.6 and 5.1 */
+ int vrecv = ((ri->ri_receive == RI_RIP_UNSPEC) ?
+ rip->version_recv : ri->ri_receive);
+ if ((packet->version == RIPv1) && !(vrecv & RIPv1))
{
- int vrecv = ((ri->ri_receive == RI_RIP_UNSPEC) ?
- rip->version_recv : ri->ri_receive);
- if (packet->version == RIPv1)
- if (! (vrecv & RIPv1))
- {
- if (IS_RIP_DEBUG_PACKET)
- zlog_debug (" packet's v%d doesn't fit to if version spec",
- packet->version);
- rip_peer_bad_packet (&from);
- return -1;
- }
- if (packet->version == RIPv2)
- if (! (vrecv & RIPv2))
- {
- if (IS_RIP_DEBUG_PACKET)
- zlog_debug (" packet's v%d doesn't fit to if version spec",
- packet->version);
- rip_peer_bad_packet (&from);
- return -1;
- }
+ if (IS_RIP_DEBUG_PACKET)
+ zlog_debug (" packet's v%d doesn't fit to if version spec",
+ packet->version);
+ rip_peer_bad_packet (&from);
+ return -1;
}
-
+ if ((packet->version == RIPv2) && !(vrecv & RIPv2))
+ {
+ if (IS_RIP_DEBUG_PACKET)
+ zlog_debug (" packet's v%d doesn't fit to if version spec",
+ packet->version);
+ rip_peer_bad_packet (&from);
+ return -1;
+ }
+
/* RFC2453 5.2 If the router is not configured to authenticate RIP-2
messages, then RIP-1 and unauthenticated RIP-2 messages will be
accepted; authenticated RIP-2 messages shall be discarded. */
-
if ((ri->auth_type == RIP_NO_AUTH)
&& rtenum
&& (packet->version == RIPv2)
@@ -1976,94 +1970,101 @@
rip_peer_bad_packet (&from);
return -1;
}
-
- /* If the router is configured to authenticate RIP-2 messages, then
+
+ /* RFC:
+ If the router is configured to authenticate RIP-2 messages, then
RIP-1 messages and RIP-2 messages which pass authentication
testing shall be accepted; unauthenticated and failed
authentication RIP-2 messages shall be discarded. For maximum
security, RIP-1 messages should be ignored when authentication is
in use (see section 4.1); otherwise, the routing information from
authenticated messages will be propagated by RIP-1 routers in an
- unauthenticated manner. */
-
- if ((ri->auth_type == RIP_AUTH_SIMPLE_PASSWORD
- || ri->auth_type == RIP_AUTH_MD5) && rtenum)
+ unauthenticated manner.
+ */
+ /* We make an exception for RIPv1 REQUEST packets, to which we'll
+ * always reply regardless of authentication settings, because:
+ *
+ * - if there other authorised routers on-link, the REQUESTor can
+ * passively obtain the routing updates anyway
+ * - if there are no other authorised routers on-link, RIP can
+ * easily be disabled for the link to prevent giving out information
+ * on state of this routers RIP routing table..
+ *
+ * I.e. if RIPv1 has any place anymore these days, it's as a very
+ * simple way to distribute routing information (e.g. to embedded
+ * hosts / appliances) and the ability to give out RIPv1
+ * routing-information freely, while still requiring RIPv2
+ * authentication for any RESPONSEs might be vaguely useful.
+ */
+ if (ri->auth_type != RIP_NO_AUTH
+ && packet->version == RIPv1)
{
- /* We follow maximum security. */
- if (packet->version == RIPv1
- && packet->rte->family == htons(RIP_FAMILY_AUTH))
- {
- if (IS_RIP_DEBUG_PACKET)
- zlog_debug
- ("packet RIPv%d is dropped because authentication enabled",
- packet->version);
+ /* Discard RIPv1 messages other than REQUESTs */
+ if (packet->command != RIP_REQUEST)
+ {
+ if (IS_RIP_DEBUG_PACKET)
+ zlog_debug ("RIPv1" " dropped because authentication enabled");
+ rip_peer_bad_packet (&from);
+ return -1;
+ }
+ }
+ else if (ri->auth_type != RIP_NO_AUTH)
+ {
+ const char *auth_desc;
+
+ if (rtenum == 0)
+ {
+ /* There definitely is no authentication in the packet. */
+ if (IS_RIP_DEBUG_PACKET)
+ zlog_debug ("RIPv2 authentication failed: no auth RTE in packet");
+ rip_peer_bad_packet (&from);
+ return -1;
+ }
+
+ /* First RTE must be an Authentication Family RTE */
+ if (packet->rte->family != htons(RIP_FAMILY_AUTH))
+ {
+ if (IS_RIP_DEBUG_PACKET)
+ zlog_debug ("RIPv2" " dropped because authentication enabled");
rip_peer_bad_packet (&from);
return -1;
- }
-
+ }
+
/* Check RIPv2 authentication. */
- if (packet->version == RIPv2)
- {
- if (packet->rte->family == htons(RIP_FAMILY_AUTH))
- {
- if (packet->rte->tag == htons(RIP_AUTH_SIMPLE_PASSWORD))
- {
- ret = rip_auth_simple_password (packet->rte, &from, ifp);
- if (! ret)
- {
- if (IS_RIP_DEBUG_EVENT)
- zlog_debug
- ("RIPv2 simple password authentication failed");
- rip_peer_bad_packet (&from);
- return -1;
- }
- else
- {
- if (IS_RIP_DEBUG_EVENT)
- zlog_debug
- ("RIPv2 simple password authentication success");
- }
- }
- else if (packet->rte->tag == htons(RIP_AUTH_MD5))
- {
- ret = rip_auth_md5 (packet, &from, len, ifp);
- if (! ret)
- {
- if (IS_RIP_DEBUG_EVENT)
- zlog_debug ("RIPv2 MD5 authentication failed");
- rip_peer_bad_packet (&from);
- return -1;
- }
- else
- {
- if (IS_RIP_DEBUG_EVENT)
- zlog_debug ("RIPv2 MD5 authentication success");
- }
- /* Reset RIP packet length to trim MD5 data. */
- len = ret;
- }
- else
- {
- if (IS_RIP_DEBUG_EVENT)
- zlog_debug ("Unknown authentication type %d",
- ntohs (packet->rte->tag));
- rip_peer_bad_packet (&from);
- return -1;
- }
- }
- else
- {
- /* There is no authentication in the packet. */
- if (ri->auth_str || ri->key_chain)
- {
- if (IS_RIP_DEBUG_EVENT)
- zlog_debug
- ("RIPv2 authentication failed: no authentication in packet");
- rip_peer_bad_packet (&from);
- return -1;
- }
- }
- }
+ switch (ntohs(packet->rte->tag))
+ {
+ case RIP_AUTH_SIMPLE_PASSWORD:
+ auth_desc = "simple";
+ ret = rip_auth_simple_password (packet->rte, &from, ifp);
+ break;
+
+ case RIP_AUTH_MD5:
+ auth_desc = "MD5";
+ ret = rip_auth_md5 (packet, &from, len, ifp);
+ /* Reset RIP packet length to trim MD5 data. */
+ len = ret;
+ break;
+
+ default:
+ ret = 0;
+ auth_desc = "unknown type";
+ if (IS_RIP_DEBUG_PACKET)
+ zlog_debug ("RIPv2 Unknown authentication type %d",
+ ntohs (packet->rte->tag));
+ }
+
+ if (ret)
+ {
+ if (IS_RIP_DEBUG_PACKET)
+ zlog_debug ("RIPv2 %s authentication success", auth_desc);
+ }
+ else
+ {
+ if (IS_RIP_DEBUG_PACKET)
+ zlog_debug ("RIPv2 %s authentication failure", auth_desc);
+ rip_peer_bad_packet (&from);
+ return -1;
+ }
}
/* Process each command. */