[OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)

Ondrej Zajicek santiago at crfreenet.org
Mon Aug 21 04:41:10 CEST 2023 

On Sun, Aug 20, 2023 at 08:07:16PM +0200, Chriztoffer (bird-users) wrote:
> Hello bird-users list,
> 
> I am seeking input into if anyone can provide suggestions on how to
> debug the below described error message.
> 
> Cheers, Chriztoffer
> 
> When trying to establish the OSPFv3 IPv6 connections between the three
> nodes. The connection from the two Proxmox nodes to the MikroTik
> Router fails with error "wrong authentication length" when logged by
> bird2.

Hello

Thanks for the bugreport and debugging. This seems like a straightforward
bug in Mikrotik:

RFC 7166 4.1:

 Auth Data Len

      This is the length in octets of the Authentication Trailer (AT),
      including both the 16-octet fixed header and the variable-length
      message digest.

For HMAC SHA-512, variable length is 512/8 = 64, so auth data length
should be 16+64 = 80. Seems like the Mikrotik omits the length of fixed
header in the field, so they just put 64 there.


> From looking at the PCAP I do indeed see the auth-data is not of the
> same length.
> 
> ## MikroTik (MAC OUI 4c:5e:0c)
> 
> OSPF Authentication Trailer
>     Authentication Type: HMAC Cryptographic Authentication (1)
>     Authentication Data Length: **64**
>     Reserved: 0x0000
>     Security Association Identifier (SA ID): 0x0000
>     Cryptographic Sequence Number: 71479
>     Authentication Data:
> 021d5635eac7b92d28bfad6507bcda7702a5f1e323197be18d42d436dcae998f5ae462da…
> 
> ## Bird 2.13.1 (MAC OUI 70:54:d2)
> 
> OSPF Authentication Trailer
>     Authentication Type: HMAC Cryptographic Authentication (1)
>     Authentication Data Length: **80**
>     Reserved: 0x0000
>     Security Association Identifier (SA ID): 0x0000
>     Cryptographic Sequence Number: 405
>     Authentication Data:
> 95c0ecfcd54a50e0da70acbf242181d3f45fce7dd1d8b6ccdb783d96c319c49e0cb77e5e…

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

More information about the Bird-users mailing list