ospf: Add RFC 5613 support (Link Local Signaling)

This commit introduces LLS data block appended to OSPF Hello and DbDesc
packets. The current code is shared between OSPFv2 and OSPFv3.

- About authentication:
For OSPFv{2,3}, if the authentication is disabled, the LLS
data block checksum is verified.

For OSPFv2, when the authentication is enabled, the CA-TLV digest is
verified.

For OSPFv3, when the authentication is enabled, there is nothing to do
as the LLS data block is included in the authentication digest. This
behavior is documented in RFC 7166 Section 2.

- About enabling LLS data blocks through YANG:
LLS data blocks are enabled per interface. That enables generating LLS
data block for Hello and DbDesc messages orginated for a that specific
interface. If some LLS data is specified through OSPF configuration, the
L-bit is enabled in the packet options.

This feature also enables examining LLS data block for received messages
if the option is enabled and the L-bit flag is present in the message
options.

Currently, the operation detailed above are mainly placeholders for future
behavior since RFC 5613 does not mention how to configure the TLVs it
specifies.

- About the presence of EO TLV in LlsDbDescData:
RFC 4811 Section 2.1 specifies that EO TLV may be included in DbDesc
packets.

Signed-off-by: Nicolas Rybowski <[email protected]>
---
v0 -> v1: Fixed nits mentioned in Renato's review at
  holo-routing#77

Author: nrybowski

README.md

@@ -194,6 +194,7 @@ Holo supports the following Internet Standards:
 * RFC 5243 - OSPF Database Exchange Summary List Optimization
 * RFC 5250 - The OSPF Opaque LSA Option
 * RFC 5340 - OSPF for IPv6
+* RFC 5613 - OSPF Link-Local Signaling
 * RFC 5642 - Dynamic Hostname Exchange Mechanism for OSPF
 * RFC 5709 - OSPFv2 HMAC-SHA Cryptographic Authentication
 * RFC 5838 - Support of Address Families in OSPFv3

holo-ospf/src/area.rs

@@ -85,7 +85,11 @@ pub struct Range {
 // Represents the possible locations of the OSPF Options field.
 #[derive(Clone, Copy, Debug, Eq, new, PartialEq)]
 pub enum OptionsLocation {
-    Packet { pkt_type: PacketType, auth: bool },
+    Packet {
+        pkt_type: PacketType,
+        auth: bool,
+        lls: bool,
+    },
     Lsa,
 }
 

holo-ospf/src/events.rs

@@ -378,6 +378,14 @@ where
         nbr.bdr = hello.bdr();
     }
 
+    // Examine LLS data block if enabled and present in the packet.
+    if iface.config.lls_enabled
+        && hello.options().l_bit()
+        && let Some(_lls) = hello.lls()
+    {
+        // TODO: Handle LLS data
+    }
+
     Ok(())
 }
 
@@ -642,6 +650,14 @@ where
         }
     }
 
+    // Examine LLS data block if enabled and present the packet.
+    if iface.config.lls_enabled
+        && dbdesc.options().l_bit()
+        && let Some(_lls) = dbdesc.lls()
+    {
+        // TODO: Handle LLS data
+    }
+
     // Save last received Database Description packet.
     nbr.last_rcvd_dbdesc = Some(LastDbDesc {
         options: dbdesc.options(),

holo-ospf/src/northbound/configuration.rs

@@ -197,6 +197,7 @@ pub struct InterfaceCfg<V: Version> {
     pub bfd_enabled: bool,
     pub bfd_params: bfd::ClientCfg,
     pub trace_opts: InterfaceTraceOptions,
+    pub lls_enabled: bool,
 }
 
 #[derive(Debug)]
@@ -854,6 +855,14 @@ where
             let transmit_delay = args.dnode.get_u16();
             iface.config.transmit_delay = transmit_delay;
         })
+        .path(ospf::areas::area::interfaces::interface::lls::PATH)
+        .modify_apply(|instance, args| {
+            let (_area_idx, iface_idx) = args.list_entry.into_interface().unwrap();
+            let iface = &mut instance.arenas.interfaces[iface_idx];
+
+            let enabled = args.dnode.get_bool();
+            iface.config.lls_enabled = enabled;
+        })
         .path(ospf::areas::area::interfaces::interface::enabled::PATH)
         .modify_apply(|instance, args| {
             let (area_idx, iface_idx) =
@@ -2116,6 +2125,7 @@ where
             ospf::areas::area::interfaces::interface::mtu_ignore::DFLT;
         let bfd_enabled =
             ospf::areas::area::interfaces::interface::bfd::enabled::DFLT;
+        let lls_enabled = ospf::areas::area::interfaces::interface::lls::DFLT;
 
         InterfaceCfg {
             instance_id: InheritableConfig::new(instance_id),
@@ -2137,6 +2147,7 @@ where
             bfd_enabled,
             bfd_params: Default::default(),
             trace_opts: Default::default(),
+            lls_enabled,
         }
     }
 }

holo-ospf/src/ospfv2/area.rs

@@ -42,6 +42,10 @@ impl AreaVersion<Self> for Ospfv2 {
             options.insert(Options::O);
         }
 
+        if let OptionsLocation::Packet { lls: true, .. } = location {
+            options.insert(Options::L);
+        }
+
         options
     }
 }

holo-ospf/src/ospfv2/interface.rs

@@ -55,6 +55,13 @@ impl InterfaceVersion<Self> for Ospfv2 {
             auth_seqno: None,
         };
 
+        let lls = if iface.config.lls_enabled {
+            // TODO: Get LLS configuration
+            None
+        } else {
+            None
+        };
+
         Packet::Hello(Hello {
             hdr,
             network_mask: iface.system.primary_addr.unwrap().mask(),
@@ -64,13 +71,15 @@ impl InterfaceVersion<Self> for Ospfv2 {
                 OptionsLocation::new_packet(
                     PacketType::Hello,
                     iface.state.auth.is_some(),
+                    lls.is_some(),
                 ),
             ),
             priority: iface.config.priority,
             dead_interval: iface.config.dead_interval as u32,
             dr: iface.state.dr,
             bdr: iface.state.bdr,
             neighbors: iface.state.neighbors.router_ids().collect(),
+            lls,
         })
     }
 

holo-ospf/src/ospfv2/packet/lls.rs

@@ -0,0 +1,267 @@
+//
+// Copyright (c) The Holo Core Contributors
+//
+// SPDX-License-Identifier: MIT
+//
+
+use std::sync::atomic::Ordering;
+
+use bytes::{Buf, BufMut, Bytes, BytesMut};
+use derive_new::new;
+use num_traits::FromPrimitive;
+use serde::{Deserialize, Serialize};
+
+use super::{PacketHdrAuth, validate_digest};
+use crate::packet::auth::{self, AuthDecodeCtx, AuthEncodeCtx};
+use crate::packet::error::{DecodeError, DecodeResult};
+use crate::packet::lls::{
+    ExtendedOptionsFlagsTlv, LLS_HDR_SIZE, LlsDbDescData, LlsHelloData,
+    LlsTlvType, LlsVersion, lls_encode_end, lls_encode_start,
+};
+use crate::packet::tlv::{
+    UnknownTlv, tlv_encode_end, tlv_encode_start, tlv_wire_len,
+};
+use crate::packet::{OptionsVersion, PacketVersion};
+use crate::version::Ospfv2;
+
+#[derive(Clone, Debug, Eq, PartialEq, Default)]
+pub struct LlsDataBlock {
+    pub eof: Option<ExtendedOptionsFlagsTlv>,
+    pub unknown_tlvs: Vec<UnknownTlv>,
+}
+
+impl From<LlsHelloData> for LlsDataBlock {
+    fn from(value: LlsHelloData) -> Self {
+        let mut lls = LlsDataBlock::default();
+        lls.eof = value.eof.map(ExtendedOptionsFlagsTlv);
+        lls
+    }
+}
+
+impl From<LlsDataBlock> for LlsHelloData {
+    fn from(value: LlsDataBlock) -> Self {
+        LlsHelloData {
+            eof: value.eof.map(|tlv| tlv.0),
+        }
+    }
+}
+
+impl From<LlsDbDescData> for LlsDataBlock {
+    fn from(value: LlsDbDescData) -> Self {
+        let mut lls = LlsDataBlock::default();
+        lls.eof = value.eof.map(ExtendedOptionsFlagsTlv);
+        lls
+    }
+}
+
+impl From<LlsDataBlock> for LlsDbDescData {
+    fn from(value: LlsDataBlock) -> Self {
+        LlsDbDescData {
+            eof: value.eof.map(|tlv| tlv.0),
+        }
+    }
+}
+
+// RFC 5613 : LLS Cryptographic Authentication TLV
+//
+//   0                   1                   2                   3
+//   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+//   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//   |              2                |         AuthLen               |
+//   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//   |                         Sequence Number                       |
+//   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//   |                                                               |
+//   .                                                               .
+//   .                           AuthData                            .
+//   .                                                               .
+//   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+//
+#[derive(Clone, Debug, Eq, PartialEq, new)]
+#[derive(Serialize, Deserialize)]
+pub struct CryptoAuthTlv {
+    pub seqno: u32,
+    #[new(default)]
+    pub auth_data: Bytes,
+}
+
+impl CryptoAuthTlv {
+    pub(crate) fn encode(
+        &self,
+        buf: &mut BytesMut,
+        lls_start_pos: usize,
+        auth: &AuthEncodeCtx<'_>,
+    ) {
+        let start_pos = tlv_encode_start(buf, LlsTlvType::CryptoAuth);
+        buf.put_u32(self.seqno);
+        let digest = auth::message_digest(
+            &buf[lls_start_pos..],
+            auth.key.algo,
+            &auth.key.string,
+            None,
+            None,
+        );
+        buf.put_slice(&digest);
+        tlv_encode_end(buf, start_pos);
+    }
+
+    pub(crate) fn decode(tlv_len: u16, buf: &mut Bytes) -> DecodeResult<Self> {
+        if tlv_len < 4 || buf.remaining() < tlv_len as usize {
+            return Err(DecodeError::InvalidTlvLength(tlv_len));
+        }
+        let seqno = buf.try_get_u32()?;
+        let auth_data_len = tlv_len - 4;
+        let auth_data = buf.slice(..auth_data_len as usize);
+
+        Ok(CryptoAuthTlv { seqno, auth_data })
+    }
+}
+
+impl LlsVersion<Self> for Ospfv2 {
+    type LlsDataBlock = LlsDataBlock;
+
+    fn encode_lls_block(
+        buf: &mut BytesMut,
+        lls: LlsDataBlock,
+        auth: Option<&AuthEncodeCtx<'_>>,
+    ) {
+        let start_pos = lls_encode_start(buf);
+
+        if let Some(eof) = lls.eof {
+            eof.encode(buf);
+        }
+
+        // RFC 5613 : "The CA-TLV MUST NOT appear more than once in the LLS
+        // block.  Also, when present, this TLV MUST be the last TLV in the LLS
+        // block."
+        if let Some(auth) = auth {
+            let ca = CryptoAuthTlv::new(
+                (auth.seqno.load(Ordering::Relaxed) as u32) - 1,
+            );
+            ca.encode(buf, start_pos, auth);
+        }
+        lls_encode_end::<Ospfv2>(buf, start_pos, auth.is_some());
+    }
+
+    fn decode_lls_block(
+        data: &[u8],
+        pkt_len: u16,
+        hdr_auth: PacketHdrAuth,
+        auth: Option<&AuthDecodeCtx<'_>>,
+    ) -> DecodeResult<Option<LlsDataBlock>> {
+        // Test the presence of the L-bit indicating a LLS data block.
+        if Self::packet_options(data).is_none_or(|options| !options.l_bit()) {
+            return Ok(None);
+        }
+
+        let mut buf = Bytes::copy_from_slice(&data[pkt_len as usize..]);
+
+        // Sanity check on buffer length.
+        if buf.remaining() < LLS_HDR_SIZE as usize {
+            return Err(DecodeError::InvalidLength(buf.len() as u16));
+        }
+
+        // If authentication trailer is embedded, skip it.
+        // The authentication digest has already been verified earlier, so no
+        // need for a double check here.
+        if let PacketHdrAuth::Cryptographic { auth_len, .. } = hdr_auth {
+            buf.advance(auth_len as usize);
+        } else {
+            // Validate LLS block checksum when authentication is disabled.
+            Self::verify_cksum(&buf)?;
+        };
+
+        let mut data = buf.clone();
+
+        let mut lls_block = LlsDataBlock::default();
+
+        let _cksum = buf.try_get_u16()?;
+        let lls_len = buf.try_get_u16()?;
+
+        // RFC 5613 Section 2.2: " The 16-bit LLS Data Length field contains
+        // the length (in 32-bit words) of the LLS block including the header
+        // and payload."
+        let block_len = ((lls_len * 4) - LLS_HDR_SIZE) as usize;
+
+        // Validate LLS block length
+        if block_len > buf.remaining() {
+            return Err(DecodeError::InvalidLength(block_len as u16));
+        }
+        buf = buf.slice(0..block_len);
+        data = data.slice(0..block_len + LLS_HDR_SIZE as usize);
+
+        while buf.remaining() >= LLS_HDR_SIZE as usize {
+            // Parse TLV type.
+            let tlv_type = buf.try_get_u16()?;
+            let tlv_etype = LlsTlvType::from_u16(tlv_type);
+
+            // Parse and validate TLV length.
+            let tlv_len = buf.try_get_u16()?;
+            let tlv_wlen = tlv_wire_len(tlv_len);
+            if tlv_wlen as usize > buf.remaining() {
+                return Err(DecodeError::InvalidTlvLength(tlv_len));
+            }
+
+            // Parse TLV value.
+            let mut buf_tlv = buf.copy_to_bytes(tlv_wlen as usize);
+            match tlv_etype {
+                Some(LlsTlvType::ExtendedOptionsFlags) => {
+                    let opts =
+                        ExtendedOptionsFlagsTlv::decode(tlv_len, &mut buf_tlv)?;
+                    lls_block.eof = Some(opts);
+                }
+                Some(LlsTlvType::CryptoAuth) => {
+                    let ca = CryptoAuthTlv::decode(tlv_len, &mut buf_tlv)?;
+
+                    if let PacketHdrAuth::Cryptographic {
+                        key_id,
+                        auth_len,
+                        seqno,
+                    } = hdr_auth
+                    {
+                        // RFC 5613 Section 2.5 : "The Sequence Number field
+                        // contains the cryptographic sequence number
+                        // that is used to prevent simple replay attacks.  For the
+                        // LLS block to be considered authentic, the Sequence Number
+                        // in the CA-TLV MUST match the Sequence Number in the
+                        // OSPFv2 packet header Authentication field (which MUST be
+                        // present)."
+                        if seqno != ca.seqno {
+                            return Err(DecodeError::AuthError);
+                        }
+
+                        // Skip the CA TLV digest
+                        let mut digest_data = BytesMut::from(
+                            &data[..data.len() - ca.auth_data.len()],
+                        );
+
+                        // Remove LLS block length at its unknown upon digest
+                        // encoding.
+                        digest_data[3] = 0;
+
+                        // Remove LLS CA TLV length at its unknown upon digest
+                        // encoding. Per RFC 5613, CA TLV MUST be the last in
+                        // the LLS data block.
+                        let offset = digest_data.len() - 5;
+                        digest_data[offset] = 0;
+
+                        validate_digest(
+                            key_id,
+                            auth_len,
+                            auth,
+                            &ca.auth_data,
+                            &digest_data,
+                        )?;
+                    }
+                }
+                _ => {
+                    // Save unknown TLV.
+                    lls_block
+                        .unknown_tlvs
+                        .push(UnknownTlv::new(tlv_type, tlv_len, buf_tlv));
+                }
+            }
+        }
+        Ok(Some(lls_block))
+    }
+}