isis: implement protection against replay attacks (RFC 7602)

RFC 5304 and RFC 5310 define cryptographic authentication for IS-IS
PDUs but do not protect against replay attacks of IIHs and SNPs. RFC
7602 introduces the Extended Sequence Number TLV to address this gap.

Signed-off-by: Renato Westphal <[email protected]>

Author: rwestphal

README.md

@@ -173,6 +173,7 @@ Holo supports the following Internet Standards:
 * RFC 5310 - IS-IS Generic Cryptographic Authentication
 * RFC 6232 - Purge Originator Identification TLV for IS-IS
 * RFC 6233 - IS-IS Registry Extension for Purges
+* RFC 7602 - IS-IS Extended Sequence Number TLV
 * RFC 7794 - IS-IS Prefix Attributes for Extended IPv4 and IPv6 Reachability
 * RFC 7917 - Advertising Node Administrative Tags in IS-IS
 * RFC 7981 - IS-IS Extensions for Advertising Router Information

holo-isis/src/adjacency.rs

@@ -7,7 +7,7 @@
 // See: https://nlnet.nl/NGI0
 //
 
-use std::collections::BTreeSet;
+use std::collections::{BTreeSet, HashMap};
 use std::net::{Ipv4Addr, Ipv6Addr};
 use std::time::Instant;
 
@@ -25,7 +25,9 @@ use crate::debug::Debug;
 use crate::instance::InstanceUpView;
 use crate::interface::{Interface, InterfaceType};
 use crate::northbound::notification;
+use crate::packet::consts::PduType;
 use crate::packet::subtlvs::neighbor::{AdjSidFlags, AdjSidStlv};
+use crate::packet::tlv::ExtendedSeqNum;
 use crate::packet::{AreaAddr, LanId, LevelType, SystemId};
 use crate::{sr, tasks};
 
@@ -39,6 +41,7 @@ pub struct Adjacency {
     pub state: AdjacencyState,
     pub priority: Option<u8>,
     pub lan_id: Option<LanId>,
+    pub ext_seqnum: HashMap<PduType, ExtendedSeqNum>,
     pub protocols_supported: Vec<u8>,
     pub area_addrs: BTreeSet<AreaAddr>,
     pub topologies: BTreeSet<u16>,
@@ -102,6 +105,7 @@ impl Adjacency {
             state: AdjacencyState::Down,
             priority: None,
             lan_id: None,
+            ext_seqnum: Default::default(),
             protocols_supported: Default::default(),
             area_addrs: Default::default(),
             topologies: Default::default(),

holo-isis/src/error.rs

@@ -7,13 +7,16 @@
 // See: https://nlnet.nl/NGI0
 //
 
+use holo_utils::DatabaseError;
 use holo_utils::ip::AddressFamily;
 use holo_yang::ToYang;
 use tracing::{error, warn, warn_span};
 
 use crate::collections::{AdjacencyId, InterfaceId, LspEntryId};
 use crate::network::MulticastAddr;
+use crate::packet::consts::PduType;
 use crate::packet::error::DecodeError;
+use crate::packet::tlv::ExtendedSeqNum;
 use crate::packet::{LevelNumber, SystemId};
 use crate::spf;
 
@@ -26,9 +29,8 @@ pub enum Error {
     InterfaceIdNotFound(InterfaceId),
     AdjacencyIdNotFound(AdjacencyId),
     LspEntryIdNotFound(LspEntryId),
-    // Packet input
-    PduDecodeError(String, [u8; 6], DecodeError),
-    AdjacencyReject(String, [u8; 6], AdjacencyRejectError),
+    // PDU input
+    PduInputError(String, [u8; 6], PduInputError),
     // Segment Routing
     SrCapNotFound(LevelNumber, SystemId),
     SrCapUnsupportedAf(LevelNumber, SystemId, AddressFamily),
@@ -38,6 +40,7 @@ pub enum Error {
     SpfDelayUnexpectedEvent(LevelNumber, spf::fsm::State, spf::fsm::Event),
     InterfaceStartError(String, Box<Error>),
     InstanceStartError(Box<Error>),
+    BootCountNvmUpdate(DatabaseError),
 }
 
 // IS-IS I/O errors.
@@ -51,6 +54,13 @@ pub enum IoError {
     SendError(std::io::Error),
 }
 
+#[derive(Debug)]
+pub enum PduInputError {
+    DecodeError(DecodeError),
+    AdjacencyReject(AdjacencyRejectError),
+    ExtendedSeqNumError(ExtendedSeqNumError),
+}
+
 #[derive(Debug)]
 pub enum AdjacencyRejectError {
     InvalidHelloType,
@@ -62,6 +72,12 @@ pub enum AdjacencyRejectError {
     NoCommonMt,
 }
 
+#[derive(Debug)]
+pub enum ExtendedSeqNumError {
+    MissingSeqNum(PduType),
+    InvalidSeqNum(PduType, ExtendedSeqNum),
+}
+
 // ===== impl Error =====
 
 impl Error {
@@ -79,14 +95,7 @@ impl Error {
             Error::LspEntryIdNotFound(lse_id) => {
                 warn!(?lse_id, "{}", self);
             }
-            Error::PduDecodeError(ifname, source, error) => {
-                warn_span!("interface", name = %ifname, ?source).in_scope(
-                    || {
-                        warn!(%error, "{}", self);
-                    },
-                )
-            }
-            Error::AdjacencyReject(ifname, source, error) => {
+            Error::PduInputError(ifname, source, error) => {
                 warn_span!("interface", name = %ifname, ?source).in_scope(
                     || {
                         error.log();
@@ -114,6 +123,9 @@ impl Error {
             Error::InstanceStartError(error) => {
                 error!(error = %with_source(error), "{}", self);
             }
+            Error::BootCountNvmUpdate(error) => {
+                error!(%error, "{}", self);
+            }
         }
     }
 }
@@ -131,10 +143,9 @@ impl std::fmt::Display for Error {
             Error::LspEntryIdNotFound(..) => {
                 write!(f, "LSP entry ID not found")
             }
-            Error::PduDecodeError(..) => {
+            Error::PduInputError(..) => {
                 write!(f, "failed to decode packet")
             }
-            Error::AdjacencyReject(_, _, error) => error.fmt(f),
             Error::CircuitIdAllocationFailed => {
                 write!(f, "failed to allocate Circuit ID")
             }
@@ -159,6 +170,12 @@ impl std::fmt::Display for Error {
             Error::InstanceStartError(..) => {
                 write!(f, "failed to start instance")
             }
+            Error::BootCountNvmUpdate(..) => {
+                write!(
+                    f,
+                    "failed to record updated boot count in non-volatile storage"
+                )
+            }
         }
     }
 }
@@ -243,10 +260,40 @@ impl std::error::Error for IoError {
     }
 }
 
+// ===== impl PduInputError =====
+
+impl PduInputError {
+    fn log(&self) {
+        match self {
+            PduInputError::DecodeError(error) => {
+                warn!("{}", error);
+            }
+            PduInputError::AdjacencyReject(error) => {
+                error.log();
+            }
+            PduInputError::ExtendedSeqNumError(error) => {
+                error.log();
+            }
+        }
+    }
+}
+
+impl From<AdjacencyRejectError> for PduInputError {
+    fn from(error: AdjacencyRejectError) -> PduInputError {
+        PduInputError::AdjacencyReject(error)
+    }
+}
+
+impl From<ExtendedSeqNumError> for PduInputError {
+    fn from(error: ExtendedSeqNumError) -> PduInputError {
+        PduInputError::ExtendedSeqNumError(error)
+    }
+}
+
 // ===== impl AdjacencyRejectError =====
 
 impl AdjacencyRejectError {
-    pub(crate) fn log(&self) {
+    fn log(&self) {
         match self {
             AdjacencyRejectError::MaxAreaAddrsMismatch(max_area_addrs) => {
                 warn!(%max_area_addrs, "{}", self);
@@ -288,6 +335,36 @@ impl std::fmt::Display for AdjacencyRejectError {
 
 impl std::error::Error for AdjacencyRejectError {}
 
+// ===== impl ExtendedSeqNumError =====
+
+impl ExtendedSeqNumError {
+    fn log(&self) {
+        match self {
+            ExtendedSeqNumError::MissingSeqNum(pdu_type) => {
+                warn!(?pdu_type, "{}", self);
+            }
+            ExtendedSeqNumError::InvalidSeqNum(pdu_type, ext_seqnum) => {
+                warn!(?pdu_type, ?ext_seqnum, "{}", self);
+            }
+        }
+    }
+}
+
+impl std::fmt::Display for ExtendedSeqNumError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            ExtendedSeqNumError::MissingSeqNum(..) => {
+                write!(f, "missing extended sequence number")
+            }
+            ExtendedSeqNumError::InvalidSeqNum(..) => {
+                write!(f, "invalid extended sequence number")
+            }
+        }
+    }
+}
+
+impl std::error::Error for ExtendedSeqNumError {}
+
 // ===== helper functions =====
 
 fn with_source<E: std::error::Error>(error: E) -> String {