From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: ospfd: explain a XXX comment a bit better
To: tech@openbsd.org
Date: Wed, 20 May 2026 14:38:09 +0200

If a neighbor goes down ospfd resets the crypt_seq_num. This in theory
allows an attacker to issue a replay attack. This reset was done on
purpose because if the other system restarted then a new sequence number
is generated and that on may be lower than our crypt_seq_num.
As a result the peer would not reconnect until the DEFAULT_NBR_TMOUT (24h)
fired.

-- 
:wq Claudio

Index: neighbor.c
===================================================================
RCS file: /cvs/src/usr.sbin/ospfd/neighbor.c,v
diff -u -p -r1.51 neighbor.c
--- neighbor.c	8 Mar 2023 04:43:14 -0000	1.51
+++ neighbor.c	20 May 2026 12:33:07 -0000
@@ -610,7 +610,12 @@ nbr_act_delete(struct nbr *nbr)
 	/* stop timers */
 	nbr_stop_itimer(nbr);
 
-	/* XXX reset crypt_seq_num will allow replay attacks. */
+	/*
+	 * XXX reset crypt_seq_num will allow replay attacks.
+	 * We accept this because if the remote system restarted
+	 * the new initial crypt_seq_num may be lower and so the
+	 * neighbor would not reconnect for DEFAULT_NBR_TMOUT.
+	 */
 	nbr->crypt_seq_num = 0;
 
 	/* schedule kill timer */