BFD: Improve incoming packet matching

For active sessions, ignore received packets with zero local id and
mismatched remote id. That forces a session timeout instead of an
immediate session restart. It makes BFD sessions more resilient to
packet spoofing.

Thanks to André Grüneberg for the suggestion.

diff --git a/proto/bfd/packets.c b/proto/bfd/packets.c
index 5f10734ce3b08aa4bf7b445c35e9b9ffc1212026..cb5f0d89092942f81fd875b879e2f11c6201ad38 100644 (file)
--- a/proto/bfd/packets.c
+++ b/proto/bfd/packets.c
@@ -374,6 +374,10 @@ bfd_rx_hook(sock *sk, uint len)
     /* FIXME: better session matching and message */
     if (!s)
       return 1;
+
+    /* For active sessions we require matching remote id */
+    if ((s->loc_state == BFD_STATE_UP) && (ntohl(pkt->snd_id) != s->rem_id))
+      DROP("mismatched remote id", ntohl(pkt->snd_id));
   }
 
   /* bfd_check_authentication() has its own error logging */