subject:"\[OSPF3 IPv6\] error \"wrong authentication length\" between Proxmox 8 \(Debian 12\) \(bird2 2.13.1\) and MikroTik RouterOS 7.11 \(stable\)"

Re: [OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)

2023-10-17 Thread netravnen+birdlist




On 21/08/2023 4.41 am, Ondrej Zajicek wrote:

This seems like a straightforward bug in Mikrotik:


Finally got around to reporting the issue to Mikrotik last week. Saw the 
bugfix shipped with the latest RC[0] that came out today.



What's new in 7.12rc2 (2023-Oct-16):

*) ospf - fixed OSPFv3 authentication header length calculation;


Now OSPFv3 with SHA-512 Authentication works. :D

/routing/ospf/neighbor/print proplist=instance,adjacency,address,state\
where instance=ospf3-main

 5  D instance=ospf3-main adjacency=12m10s\
  address=fe80::7254:d2ff:feXX:%bridge1 state="Full"

 6  D instance=ospf3-main adjacency=11m50s\
  address=fe80::7254:d2ff:feXX:%bridge1 state="Full"




[0]: https://mikrotik.com/download/changelogs/testing-release-tree

Re: [OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)

2023-08-20 Thread Ondrej Zajicek

On Sun, Aug 20, 2023 at 08:07:16PM +0200, Chriztoffer (bird-users) wrote:
> Hello bird-users list,
> 
> I am seeking input into if anyone can provide suggestions on how to
> debug the below described error message.
> 
> Cheers, Chriztoffer
> 
> When trying to establish the OSPFv3 IPv6 connections between the three
> nodes. The connection from the two Proxmox nodes to the MikroTik
> Router fails with error "wrong authentication length" when logged by
> bird2.

Hello

Thanks for the bugreport and debugging. This seems like a straightforward
bug in Mikrotik:

RFC 7166 4.1:

 Auth Data Len

  This is the length in octets of the Authentication Trailer (AT),
  including both the 16-octet fixed header and the variable-length
  message digest.

For HMAC SHA-512, variable length is 512/8 = 64, so auth data length
should be 16+64 = 80. Seems like the Mikrotik omits the length of fixed
header in the field, so they just put 64 there.


> From looking at the PCAP I do indeed see the auth-data is not of the
> same length.
> 
> ## MikroTik (MAC OUI 4c:5e:0c)
> 
> OSPF Authentication Trailer
> Authentication Type: HMAC Cryptographic Authentication (1)
> Authentication Data Length: **64**
> Reserved: 0x
> Security Association Identifier (SA ID): 0x
> Cryptographic Sequence Number: 71479
> Authentication Data:
> 021d5635eac7b92d28bfad6507bcda7702a5f1e323197be18d42d436dcae998f5ae462da…
> 
> ## Bird 2.13.1 (MAC OUI 70:54:d2)
> 
> OSPF Authentication Trailer
> Authentication Type: HMAC Cryptographic Authentication (1)
> Authentication Data Length: **80**
> Reserved: 0x
> Security Association Identifier (SA ID): 0x
> Cryptographic Sequence Number: 405
> Authentication Data:
> 95c0ecfcd54a50e0da70acbf242181d3f45fce7dd1d8b6ccdb783d96c319c49e0cb77e5e…

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

[OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)

2023-08-20 Thread Chriztoffer (bird-users)


Hello bird-users list,

I am seeking input into if anyone can provide suggestions on how to
debug the below described error message.

Cheers, Chriztoffer

**

The two proxmox nodes are running bird2 2.13.1 (compiled using apkg)
and are connected to a MikroTik Router running RouterOS 7.11 directly
on the same L2 domain. All three nodes can talk directly to each other
on the same L2 domain.

When trying to establish the OSPFv3 IPv6 connections between the three
nodes. The connection from the two Proxmox nodes to the MikroTik
Router fails with error "wrong authentication length" when logged by
bird2.

The OSPFv2 (IPv4) connection succeeds between all three nodes.

OSPFv2 and OSPFv3 and setup with the same auth type (hmac sha512;
cryptographic) and auth-id (0).

Looking at the bird2 source code [0] did not really give me any clue
to what the error is.

[0]: https://gitlab.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L219

From looking at the PCAP I do indeed see the auth-data is not of the
same length.

## MikroTik (MAC OUI 4c:5e:0c)

OSPF Authentication Trailer
Authentication Type: HMAC Cryptographic Authentication (1)
Authentication Data Length: **64**
Reserved: 0x
Security Association Identifier (SA ID): 0x
Cryptographic Sequence Number: 71479
Authentication Data:
021d5635eac7b92d28bfad6507bcda7702a5f1e323197be18d42d436dcae998f5ae462da…

## Bird 2.13.1 (MAC OUI 70:54:d2)

OSPF Authentication Trailer
Authentication Type: HMAC Cryptographic Authentication (1)
Authentication Data Length: **80**
Reserved: 0x
Security Association Identifier (SA ID): 0x
Cryptographic Sequence Number: 405
Authentication Data:
95c0ecfcd54a50e0da70acbf242181d3f45fce7dd1d8b6ccdb783d96c319c49e0cb77e5e…

In this instance. I assume the error is located with MikroTik RouterOS
7.11 (stable). But still wanting to solicit feedback via the
bird-users list regardless.

**

# ASCII L2 Diagram

MikroTik -- Proxmox-2
 | /
 |   /
   Proxmox-1

# ASCII L1 Diagram

MikroTik -- Proxmox-2
 |
 |
Proxmox-1

**

# Proxmox 8 node 1

2023-08-19 19:47:15.579Z  ospf3_main: Authentication failed for
nbr {{MikroTik}} on vmbr0 - wrong authentication length (64)

# Proxmox 8 node 2

2023-08-19 19:46:55.581Z  ospf3_main: Authentication failed for
nbr {{MikroTik}} on vmbr0 - wrong authentication length (64)

# MikroTik

{ version: 3 router-id: {{MikroTik}} } ospf3-backbone { 0.0.0.0 }
interface { broadcast fe80::4e5e:cff:fexx:%bridge1 } corrupted
auth trailer from fe80::7254:d2ff:fexx:%bridge1

**

# MikroTik RouterOS 7.11 (stable) OSPFv6 IPv6 configuration

/routing ospf instance
add disabled=no in-filter-chain=v6private name=ospf3-main \
originate-default=if-installed out-filter-chain=ospf3-out 
redistribute=\

connected,static,dhcp router-id=loopback routing-table=main version=3

/routing ospf area
add disabled=no instance=ospf3-main name=ospf3-backbone

/routing ospf interface-template
add area=ospf3-backbone auth=sha512 \
auth-id=0 auth-key=Zzma9IOrDa7pg9iJwi439nfIZ59oQsXeZBdNb-Upj631GG8 \
dead-interval=20s disabled=no \
hello-interval=5s interfaces=bridge1 retransmit-interval=2s

**

# Bird 2.13.1 OSPFv6 (IPv6) configuration on Proxmox 8.x (Debian 12)

protocol ospf v3 ospf3_main {
  graceful restart on;
  graceful restart time 300;
  ipv6 {
import all;
export filter {
  if is_self_network_6() && source ~ [RTS_STATIC] then accept;
  else reject;
};
  };
  area 0 {
interface "vmbr0" {
  type broadcast;
  hello 5; retransmit 2; wait 10; dead 20;
  authentication cryptographic;
  password "Zzma9IOrDa7pg9iJwi439nfIZ59oQsXeZBdNb-Upj631GG8" {
id 0;
algorithm hmac sha512;
  };
  check link on;
};
interface "lo" {
  check link no;
  strict nonbroadcast yes;
  type pointopoint;
};
interface "*" {
  stub;
};
  };
}

**

# PCAP

https://drive.google.com/file/d/1wDimK0WppM6JvIJIEeEMmFfvllGjj54Q/view?usp=sharing

Re: [OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)

Re: [OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)

[OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)

3 matches

Site Navigation

Mail list logo

Footer information