Community discussions

MikroTik App
 
tangent
Forum Guru
Forum Guru
Topic Author
Posts: 1330
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

HMAC-SHA for OSPFv2/3 authentication

Fri Jul 16, 2021 3:33 pm

I was just watching a presentation on OSPF authentication and was stunned to learn that the highest security option in RouterOS is "MD5". Since we know how to create arbitrary MD5 collisions within seconds on ordinary PC-class hardware, I was afraid I'd find that OSPF was terribly insecure on its own, requiring strong IP filtering to keep it safe.

On researching it further, it seems to be the case that keyed-MD5 isn't vulnerable to the same attacks as plain old MD5 message digests.

However, I also found that OSPFv2 defines better authentication options, up to HMAC-SHA-512, which is stronger in several complimentary ways: the better algorithm (SHA2 vs MD5), the longer hash — 2-4x, if you skip HMAC-SHA1 which is also semi-obsolete now — and more robust MAC construction, H(k⧺m⧺k) versus HMAC(k,m).

So, whether keyed-MD5 is broken or not, can we get better HMAC authentication in 7.1 before final release, please? If nothing else, it'll keep people like me from getting itchy. 😉
 
oreggin
Member Candidate
Member Candidate
Posts: 172
Joined: Fri Oct 16, 2009 9:21 pm

Re: HMAC-SHA for OSPFv2/3 authentication

Mon Aug 30, 2021 2:27 pm

The second problem with MD5 in OSPFv3, other vendors implementing SHA1 auth.
 
tangent
Forum Guru
Forum Guru
Topic Author
Posts: 1330
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: HMAC-SHA for OSPFv2/3 authentication

Sun Apr 10, 2022 3:13 am

Just a bump: it's been nearly a year, and we're still limited to MD5.

Who is online

Users browsing this forum: No registered users and 18 guests