[OSPF3 IPv6] error "wrong authentication length" between Proxmox 8 (Debian 12) (bird2 2.13.1) and MikroTik RouterOS 7.11 (stable)

Chriztoffer (bird-users) netravnen+birdfxyq8 at gmail.com
Sun Aug 20 20:07:16 CEST 2023 

Hello bird-users list,

I am seeking input into if anyone can provide suggestions on how to
debug the below described error message.

Cheers, Chriztoffer

**********************************************************

The two proxmox nodes are running bird2 2.13.1 (compiled using apkg)
and are connected to a MikroTik Router running RouterOS 7.11 directly
on the same L2 domain. All three nodes can talk directly to each other
on the same L2 domain.

When trying to establish the OSPFv3 IPv6 connections between the three
nodes. The connection from the two Proxmox nodes to the MikroTik
Router fails with error "wrong authentication length" when logged by
bird2.

The OSPFv2 (IPv4) connection succeeds between all three nodes.

OSPFv2 and OSPFv3 and setup with the same auth type (hmac sha512;
cryptographic) and auth-id (0).

Looking at the bird2 source code [0] did not really give me any clue
to what the error is.

[0]: https://gitlab.nic.cz/labs/bird/-/blob/master/proto/ospf/packet.c#L219

 From looking at the PCAP I do indeed see the auth-data is not of the
same length.

## MikroTik (MAC OUI 4c:5e:0c)

OSPF Authentication Trailer
     Authentication Type: HMAC Cryptographic Authentication (1)
     Authentication Data Length: **64**
     Reserved: 0x0000
     Security Association Identifier (SA ID): 0x0000
     Cryptographic Sequence Number: 71479
     Authentication Data:
021d5635eac7b92d28bfad6507bcda7702a5f1e323197be18d42d436dcae998f5ae462da…

## Bird 2.13.1 (MAC OUI 70:54:d2)

OSPF Authentication Trailer
     Authentication Type: HMAC Cryptographic Authentication (1)
     Authentication Data Length: **80**
     Reserved: 0x0000
     Security Association Identifier (SA ID): 0x0000
     Cryptographic Sequence Number: 405
     Authentication Data:
95c0ecfcd54a50e0da70acbf242181d3f45fce7dd1d8b6ccdb783d96c319c49e0cb77e5e…

In this instance. I assume the error is located with MikroTik RouterOS
7.11 (stable). But still wanting to solicit feedback via the
bird-users list regardless.

**********************************************************

# ASCII L2 Diagram

MikroTik -- Proxmox-2
      |             /
      |           /
    Proxmox-1

# ASCII L1 Diagram

MikroTik -- Proxmox-2
      |
      |
Proxmox-1

**********************************************************

# Proxmox 8 node 1

2023-08-19 19:47:15.579Z <AUTH> ospf3_main: Authentication failed for
nbr {{MikroTik}} on vmbr0 - wrong authentication length (64)

# Proxmox 8 node 2

2023-08-19 19:46:55.581Z <AUTH> ospf3_main: Authentication failed for
nbr {{MikroTik}} on vmbr0 - wrong authentication length (64)

# MikroTik

{ version: 3 router-id: {{MikroTik}} } ospf3-backbone { 0.0.0.0 }
interface { broadcast fe80::4e5e:cff:fexx:xxxx%bridge1 } corrupted
auth trailer from fe80::7254:d2ff:fexx:xxxx%bridge1

**********************************************************

# MikroTik RouterOS 7.11 (stable) OSPFv6 IPv6 configuration

/routing ospf instance
add disabled=no in-filter-chain=v6private name=ospf3-main \
     originate-default=if-installed out-filter-chain=ospf3-out 
redistribute=\
     connected,static,dhcp router-id=loopback routing-table=main version=3

/routing ospf area
add disabled=no instance=ospf3-main name=ospf3-backbone

/routing ospf interface-template
add area=ospf3-backbone auth=sha512 \
     auth-id=0 auth-key=Zzma9IOrDa7pg9iJwi439nfIZ59oQsXeZBdNb-Upj631GG8 \
     dead-interval=20s disabled=no \
     hello-interval=5s interfaces=bridge1 retransmit-interval=2s

**********************************************************

# Bird 2.13.1 OSPFv6 (IPv6) configuration on Proxmox 8.x (Debian 12)

protocol ospf v3 ospf3_main {
   graceful restart on;
   graceful restart time 300;
   ipv6 {
     import all;
     export filter {
       if is_self_network_6() && source ~ [RTS_STATIC] then accept;
       else reject;
     };
   };
   area 0 {
     interface "vmbr0" {
       type broadcast;
       hello 5; retransmit 2; wait 10; dead 20;
       authentication cryptographic;
       password "Zzma9IOrDa7pg9iJwi439nfIZ59oQsXeZBdNb-Upj631GG8" {
         id 0;
         algorithm hmac sha512;
       };
       check link on;
     };
     interface "lo" {
       check link no;
       strict nonbroadcast yes;
       type pointopoint;
     };
     interface "*" {
       stub;
     };
   };
}

**********************************************************

# PCAP

https://drive.google.com/file/d/1wDimK0WppM6JvIJIEeEMmFfvllGjj54Q/view?usp=sharing

More information about the Bird-users mailing list