Community discussions

MUM Europe 2020
 
mateusl
just joined
Topic Author
Posts: 5
Joined: Tue Jan 12, 2010 3:05 pm

OSPF with MD5

Thu Apr 22, 2010 4:20 pm

Hi,

I've in my network about 30 routers running RouterOS 3.30 and 4.6. I'm thinking enable md5 authentication. Someone can tell me if there is some risk that will cause some overload? Today I've no authentication.

Thank you.
 
ibeeby
newbie
Posts: 45
Joined: Tue Dec 12, 2006 8:49 am
Location: Matlock, England
Contact:

Re: OSPF with MD5

Fri Apr 23, 2010 10:46 am

I read that adding MD5 (or any authentication for that matter) improves security in your network because it will prevent an intruder from getting free unfettered access to your network without having to do at least some further work - as such I implemented it in my network recently.

As I understand it, MD5 authentication does not involve encryption of each OSPF message but is effectively a logging-in handshake - therefore the load is at session initiation and not continuous.

My network is small enough that any load impact would not be an issue for the routers so I have not attempted to measure the increased load.

Someone who knows should confirm the above before you take any action based on what I have written.

Regards

Ian
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: OSPF with MD5

Fri Apr 23, 2010 12:46 pm

all OSPF HELLO packets have this MD5 hash attached so that your neighbour can only be someone who knows the key.
 
ibeeby
newbie
Posts: 45
Joined: Tue Dec 12, 2006 8:49 am
Location: Matlock, England
Contact:

Re: OSPF with MD5

Mon Jul 19, 2010 5:34 pm

A further observation on this:

Recently an (ex-) ISP has had problems and we were getting very high packet loss intermittently at one site. The packet loss exceeded 70% at its worst but built up gradually over typically 10 minutes or so. The reason that they are now an ex-supplier is that over five days they refused to accept that there was a problem with the wholesale connection and it has now been rectified, I suspect, through the efforts of another customer.

Anyhow, as the error rate increased, first the OSPF (MD5) over PPTP (MPPE 128) link went down although PPTP stayed up. Then PPTP went down and, ultimately, the router lost ip connectivity to the internet. So it seems that OSPF is VERY much more sensitive to packet loss or related errors that the bearer PPTP link.

Sadly I do not have logs to be able to put a threshold on this observation which is entirely empirical.

Ian
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5960
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: OSPF with MD5

Tue Jul 20, 2010 9:04 am

It's all about timers. OSPF by default sends hellos every 10sec, so it can detect link failure really fast. Default PPTP keepalive timeout is 30sec. All those values can be adjusted to your needs.

Who is online

Users browsing this forum: RobertoMusso and 9 guests