IS-IS HMAC-MD5 Authentication Not Working
Hi all. So I've been trying to get IS-IS to talk to a Cisco IOS XE box with HMAC-MD5 authentication, with no luck. I created an MD5 hash of the clear-text password, and also tried it with the clear-text password, and neither work. Cisco says the neighbor has the wrong password. There is an example for doing this with authentication at the bottom of http://docs.frrouting.org/en/latest/isisd.html , but the actual configuration example does not say anything about authentication. Thoughts? Mark.
Mark, On Tue, 7 Apr 2020 at 16:42, Mark Tinka <mark.tinka@seacom.mu> wrote:
There is an example for doing this with authentication at the bottom of http://docs.frrouting.org/en/latest/isisd.html , but the actual configuration example does not say anything about authentication.
Regarding documentation... Even the current FRR documentation is in certain areas lacking (known issue). Any and all PR's for proving improving the existing FRR documentation is welcomed by the developers (to my knowledge of what I can remember) /Chriztoffer
Mark- Send over what your configuration looks like and we can take a look. Any additional context, such as your operating system, kernel version, FRR version, etc is helpful. If you feel inclined to open an issue, it's easiest for us to track this in GitHub (https://github.com/frrouting/frr/issues); there's a template for bug reports there as well. P.S: qlyoung@nicobar$ sudo vtysh Hello, this is FRRouting (version 7.4-dev). Copyright 1996-2005 Kunihiro Ishiguro, et al. nicobar# find mtu | include isis ... (isis) lsp-mtu (128-4352)$val (isis) no lsp-mtu [(128-4352)] https://github.com/FRRouting/frr/pull/6183 On Tue, Apr 7, 2020 at 10:43 AM Mark Tinka <mark.tinka@seacom.mu> wrote:
Hi all.
So I've been trying to get IS-IS to talk to a Cisco IOS XE box with HMAC-MD5 authentication, with no luck.
I created an MD5 hash of the clear-text password, and also tried it with the clear-text password, and neither work.
Cisco says the neighbor has the wrong password.
There is an example for doing this with authentication at the bottom of http://docs.frrouting.org/en/latest/isisd.html , but the actual configuration example does not say anything about authentication.
Thoughts?
Mark. _______________________________________________ frog mailing list frog@lists.frrouting.org https://lists.frrouting.org/listinfo/frog
On 8/Apr/20 02:29, Quentin Young wrote:
Mark-
Send over what your configuration looks like and we can take a look.
router isis 1 net 49.0006.1050.1618.6001.00 is-type level-2-only domain-password md5 <hashed_md5_password> metric-style wide log-adjacency-changes ! ! interface em0 ip router isis 1 ipv6 router isis 1 no isis hello padding isis password md5 <hased_md5_password> isis metric 6000
Any additional context, such as your operating system, kernel version, FRR version, etc is helpful.
FRR 7.3 on 12.1-RELEASE-p3.
qlyoung@nicobar$ sudo vtysh
Hello, this is FRRouting (version 7.4-dev). Copyright 1996-2005 Kunihiro Ishiguro, et al.
nicobar# find mtu | include isis ... (isis) lsp-mtu (128-4352)$val (isis) no lsp-mtu [(128-4352)]
So the "lsp-mtu" command is coming to 7.4? Mark.
Mark, On Wed, 8 Apr 2020 at 09:45, Mark Tinka <mark.tinka@seacom.mu> wrote:
qlyoung@nicobar$ sudo vtysh
Hello, this is FRRouting (version 7.4-dev). Copyright 1996-2005 Kunihiro Ishiguro, et al.
nicobar# find mtu | include isis ... (isis) lsp-mtu (128-4352)$val (isis) no lsp-mtu [(128-4352)]
So the "lsp-mtu" command is coming to 7.4?
Based on the PR, the command is already there, but just not exposed when using tab-complete or `find mtu | include isis` to look for it. (i.e. hidden command in "version < 7.4") https://github.com/FRRouting/frr/pull/6183/files
Chriztoffer - The `lsp-mtu (128-4352)` command has never been 'hidden' ( this connotates you can't see it in the vtysh cli if you look for it, you have to know it exists ), it has always been visible just not documented. Quentin's commit is trying to document the command in our documentation. This command was introduced in Nov 2015: commit b20ccb3aa94ff96e8d32e5206d8b16fa3b081908 Author: Christian Franke <nobody@nowhere.ws> Date: Tue Nov 10 18:43:31 2015 +0100 isisd: allow to adjust lsp-mtu Signed-off-by: Christian Franke <chris@opensourcerouting.org> Acked-by: Donald Sharp <sharpd@cumulusnetworks.com> This command has been available in FRR since it's first release: sharpd@eva:~/frr3$ git checkout frr-2.0 Previous HEAD position was 01bb08b6d isisd: API: timers (IIH, CSNP, PSNP) HEAD is now at 3e71b5d90 Release: FRR-2.0 sharpd@eva:~/frr3$ git grep lsp-mtu isisd/isis_vty.c: "lsp-mtu <128-4352>", isisd/isis_vty.c: VTY_GET_INTEGER_RANGE("lsp-mtu", lsp_mtu, argv[0], 128, 4352); isisd/isis_vty.c: "no lsp-mtu", isisd/isis_vty.c: "no lsp-mtu <128-4352>", isisd/isisd.c: vty_out(vty, " lsp-mtu %u%s", area->lsp_mtu, VTY_NEWLINE); I would like to apologize for the state of our documentation. For many years the community accepted new code without a requirement that it also be documented in our docs. This has led to a gap where there is a large number of knobs/commands that are not documented very well at all. This has changed recently as that all new cli changes ( semantically if you touch a DEFUN/DEFPY function ) must also come with documentation. In addition people have been trickling in missed cli documentation changes pretty regularly over the last year( I like Quentin have been hitting missed commands when I notice it from community interaction ). It's a large effort that takes away from what developers see as their day job, so missed documentation has taken a small back seat to new functionality and bug fixes. Having said that this is one of those areas where you don't need to be a `c` coder at all and we would appreciate help from anyone who uses FRR. I think, Mark's question now, is how to get authentication working properly using isisd. I've included Christian Franke on the email since he was one of the primary authors of isisd. Hopefully he can shed some light on what is going on here? donald On Wed, Apr 8, 2020 at 7:07 AM Chriztoffer Hansen <ch@ntrv.dk> wrote:
Mark,
On Wed, 8 Apr 2020 at 09:45, Mark Tinka <mark.tinka@seacom.mu> wrote:
qlyoung@nicobar$ sudo vtysh
Hello, this is FRRouting (version 7.4-dev). Copyright 1996-2005 Kunihiro Ishiguro, et al.
nicobar# find mtu | include isis ... (isis) lsp-mtu (128-4352)$val (isis) no lsp-mtu [(128-4352)]
So the "lsp-mtu" command is coming to 7.4?
Based on the PR, the command is already there, but just not exposed when using tab-complete or `find mtu | include isis` to look for it. (i.e. hidden command in "version < 7.4")
https://github.com/FRRouting/frr/pull/6183/files
_______________________________________________ frog mailing list frog@lists.frrouting.org https://lists.frrouting.org/listinfo/frog
On 8/Apr/20 13:40, Donald Sharp wrote:
Chriztoffer -
The `lsp-mtu (128-4352)` command has never been 'hidden' ( this connotates you can't see it in the vtysh cli if you look for it, you have to know it exists ), it has always been visible just not documented. Quentin's commit is trying to document the command in our documentation.
This command was introduced in Nov 2015:
commit b20ccb3aa94ff96e8d32e5206d8b16fa3b081908 Author: Christian Franke <nobody@nowhere.ws> Date: Tue Nov 10 18:43:31 2015 +0100
So when I first used "lsp-mtu", I assumed it needed go on the physical interface. Reading your e-mail now and trying this again, I see it needs to go under "router isis" mode. That said, if I use it and remove Hello Padding, IS-IS can't start: 2020/04/08 12:04:39 ISIS: isis_send_pdu_bcast: sock_buff size 8192 is less than output pdu size 9014 on circuit em0 2020/04/08 12:04:39 ISIS: [EC 67108865] ISIS-Adj (1): Send L2 IIH on em0 failed So looks like "lsp-mtu" doesn't actually work, per se, and disabling Hello Padding is still needed (even though I consider it best practice anyway).
I would like to apologize for the state of our documentation. For many years the community accepted new code without a requirement that it also be documented in our docs. This has led to a gap where there is a large number of knobs/commands that are not documented very well at all. This has changed recently as that all new cli changes ( semantically if you touch a DEFUN/DEFPY function ) must also come with documentation. In addition people have been trickling in missed cli documentation changes pretty regularly over the last year( I like Quentin have been hitting missed commands when I notice it from community interaction ). It's a large effort that takes away from what developers see as their day job, so missed documentation has taken a small back seat to new functionality and bug fixes. Having said that this is one of those areas where you don't need to be a `c` coder at all and we would appreciate help from anyone who uses FRR.
Very happy to help where I can with documentation clean-up, as I get my arms around IS-IS in FRR.
I think, Mark's question now, is how to get authentication working properly using isisd. I've included Christian Franke on the email since he was one of the primary authors of isisd. Hopefully he can shed some light on what is going on here?
Yes please, thanks :-). I'm kind of stuck there now. Mark.
participants (4)
-
Chriztoffer Hansen -
Donald Sharp -
Mark Tinka -
Quentin Young