OSPF with MD5

mateusl · April 22, 2010, 1:20pm

Hi,

I’ve in my network about 30 routers running RouterOS 3.30 and 4.6. I’m thinking enable md5 authentication. Someone can tell me if there is some risk that will cause some overload? Today I’ve no authentication.

Thank you.

ibeeby · April 23, 2010, 7:46am

I read that adding MD5 (or any authentication for that matter) improves security in your network because it will prevent an intruder from getting free unfettered access to your network without having to do at least some further work - as such I implemented it in my network recently.

As I understand it, MD5 authentication does not involve encryption of each OSPF message but is effectively a logging-in handshake - therefore the load is at session initiation and not continuous.

My network is small enough that any load impact would not be an issue for the routers so I have not attempted to measure the increased load.

Someone who knows should confirm the above before you take any action based on what I have written.

Regards

Ian

janisk · April 23, 2010, 9:46am

all OSPF HELLO packets have this MD5 hash attached so that your neighbour can only be someone who knows the key.

ibeeby · July 19, 2010, 2:34pm

A further observation on this:

Recently an (ex-) ISP has had problems and we were getting very high packet loss intermittently at one site. The packet loss exceeded 70% at its worst but built up gradually over typically 10 minutes or so. The reason that they are now an ex-supplier is that over five days they refused to accept that there was a problem with the wholesale connection and it has now been rectified, I suspect, through the efforts of another customer.

Anyhow, as the error rate increased, first the OSPF (MD5) over PPTP (MPPE 128) link went down although PPTP stayed up. Then PPTP went down and, ultimately, the router lost ip connectivity to the internet. So it seems that OSPF is VERY much more sensitive to packet loss or related errors that the bearer PPTP link.

Sadly I do not have logs to be able to put a threshold on this observation which is entirely empirical.

Ian

mrz · July 20, 2010, 6:04am

It’s all about timers. OSPF by default sends hellos every 10sec, so it can detect link failure really fast. Default PPTP keepalive timeout is 30sec. All those values can be adjusted to your needs.