Re: [OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)
On 21/08/2023 4.41 am, Ondrej Zajicek wrote: This seems like a straightforward bug in Mikrotik: Finally got around to reporting the issue to Mikrotik last week. Saw the bugfix shipped with the latest RC[0] that came out today. What's new in 7.12rc2 (2023-Oct-16): *) ospf - fixed OSPFv3 authentication header length calculation; Now OSPFv3 with SHA-512 Authentication works. :D /routing/ospf/neighbor/print proplist=instance,adjacency,address,state\ where instance=ospf3-main 5 D instance=ospf3-main adjacency=12m10s\ address=fe80::7254:d2ff:feXX:%bridge1 state="Full" 6 D instance=ospf3-main adjacency=11m50s\ address=fe80::7254:d2ff:feXX:%bridge1 state="Full" [0]: https://mikrotik.com/download/changelogs/testing-release-tree
Re: [OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)
On Sun, Aug 20, 2023 at 08:07:16PM +0200, Chriztoffer (bird-users) wrote: > Hello bird-users list, > > I am seeking input into if anyone can provide suggestions on how to > debug the below described error message. > > Cheers, Chriztoffer > > When trying to establish the OSPFv3 IPv6 connections between the three > nodes. The connection from the two Proxmox nodes to the MikroTik > Router fails with error "wrong authentication length" when logged by > bird2. Hello Thanks for the bugreport and debugging. This seems like a straightforward bug in Mikrotik: RFC 7166 4.1: Auth Data Len This is the length in octets of the Authentication Trailer (AT), including both the 16-octet fixed header and the variable-length message digest. For HMAC SHA-512, variable length is 512/8 = 64, so auth data length should be 16+64 = 80. Seems like the Mikrotik omits the length of fixed header in the field, so they just put 64 there. > From looking at the PCAP I do indeed see the auth-data is not of the > same length. > > ## MikroTik (MAC OUI 4c:5e:0c) > > OSPF Authentication Trailer > Authentication Type: HMAC Cryptographic Authentication (1) > Authentication Data Length: **64** > Reserved: 0x > Security Association Identifier (SA ID): 0x > Cryptographic Sequence Number: 71479 > Authentication Data: > 021d5635eac7b92d28bfad6507bcda7702a5f1e323197be18d42d436dcae998f5ae462da… > > ## Bird 2.13.1 (MAC OUI 70:54:d2) > > OSPF Authentication Trailer > Authentication Type: HMAC Cryptographic Authentication (1) > Authentication Data Length: **80** > Reserved: 0x > Security Association Identifier (SA ID): 0x > Cryptographic Sequence Number: 405 > Authentication Data: > 95c0ecfcd54a50e0da70acbf242181d3f45fce7dd1d8b6ccdb783d96c319c49e0cb77e5e… -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
[OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)
Hello bird-users list, I am seeking input into if anyone can provide suggestions on how to debug the below described error message. Cheers, Chriztoffer ** The two proxmox nodes are running bird2 2.13.1 (compiled using apkg) and are connected to a MikroTik Router running RouterOS 7.11 directly on the same L2 domain. All three nodes can talk directly to each other on the same L2 domain. When trying to establish the OSPFv3 IPv6 connections between the three nodes. The connection from the two Proxmox nodes to the MikroTik Router fails with error "wrong authentication length" when logged by bird2. The OSPFv2 (IPv4) connection succeeds between all three nodes. OSPFv2 and OSPFv3 and setup with the same auth type (hmac sha512; cryptographic) and auth-id (0). Looking at the bird2 source code [0] did not really give me any clue to what the error is. [0]: https://gitlab.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L219 From looking at the PCAP I do indeed see the auth-data is not of the same length. ## MikroTik (MAC OUI 4c:5e:0c) OSPF Authentication Trailer Authentication Type: HMAC Cryptographic Authentication (1) Authentication Data Length: **64** Reserved: 0x Security Association Identifier (SA ID): 0x Cryptographic Sequence Number: 71479 Authentication Data: 021d5635eac7b92d28bfad6507bcda7702a5f1e323197be18d42d436dcae998f5ae462da… ## Bird 2.13.1 (MAC OUI 70:54:d2) OSPF Authentication Trailer Authentication Type: HMAC Cryptographic Authentication (1) Authentication Data Length: **80** Reserved: 0x Security Association Identifier (SA ID): 0x Cryptographic Sequence Number: 405 Authentication Data: 95c0ecfcd54a50e0da70acbf242181d3f45fce7dd1d8b6ccdb783d96c319c49e0cb77e5e… In this instance. I assume the error is located with MikroTik RouterOS 7.11 (stable). But still wanting to solicit feedback via the bird-users list regardless. ** # ASCII L2 Diagram MikroTik -- Proxmox-2 | / | / Proxmox-1 # ASCII L1 Diagram MikroTik -- Proxmox-2 | | Proxmox-1 ** # Proxmox 8 node 1 2023-08-19 19:47:15.579Z ospf3_main: Authentication failed for nbr {{MikroTik}} on vmbr0 - wrong authentication length (64) # Proxmox 8 node 2 2023-08-19 19:46:55.581Z ospf3_main: Authentication failed for nbr {{MikroTik}} on vmbr0 - wrong authentication length (64) # MikroTik { version: 3 router-id: {{MikroTik}} } ospf3-backbone { 0.0.0.0 } interface { broadcast fe80::4e5e:cff:fexx:%bridge1 } corrupted auth trailer from fe80::7254:d2ff:fexx:%bridge1 ** # MikroTik RouterOS 7.11 (stable) OSPFv6 IPv6 configuration /routing ospf instance add disabled=no in-filter-chain=v6private name=ospf3-main \ originate-default=if-installed out-filter-chain=ospf3-out redistribute=\ connected,static,dhcp router-id=loopback routing-table=main version=3 /routing ospf area add disabled=no instance=ospf3-main name=ospf3-backbone /routing ospf interface-template add area=ospf3-backbone auth=sha512 \ auth-id=0 auth-key=Zzma9IOrDa7pg9iJwi439nfIZ59oQsXeZBdNb-Upj631GG8 \ dead-interval=20s disabled=no \ hello-interval=5s interfaces=bridge1 retransmit-interval=2s ** # Bird 2.13.1 OSPFv6 (IPv6) configuration on Proxmox 8.x (Debian 12) protocol ospf v3 ospf3_main { graceful restart on; graceful restart time 300; ipv6 { import all; export filter { if is_self_network_6() && source ~ [RTS_STATIC] then accept; else reject; }; }; area 0 { interface "vmbr0" { type broadcast; hello 5; retransmit 2; wait 10; dead 20; authentication cryptographic; password "Zzma9IOrDa7pg9iJwi439nfIZ59oQsXeZBdNb-Upj631GG8" { id 0; algorithm hmac sha512; }; check link on; }; interface "lo" { check link no; strict nonbroadcast yes; type pointopoint; }; interface "*" { stub; }; }; } ** # PCAP https://drive.google.com/file/d/1wDimK0WppM6JvIJIEeEMmFfvllGjj54Q/view?usp=sharing