Btw; using md5 for the HMAC algorithm would let someone inject data as well, because creating 16 bytes at the end of a packet that achieves the HMAC you want with MD5 is no longer a computationally hard problem
Actually, it still is. Using MD5 with HMAC is at present knowledge absolutely fine from a functional point of view, but it's really not something you would want to do anyway because:
A) it's bad for PR, because by now the only reaction you will get from people is "why are you using MD5, it's broken" even though in this particular instance none of its effective weaknesses matter
B) you can possibly get better performance using a more modern algorithm with less overhead when fingerprinting small messages - such as network packets - repeatedly with the same key (the SHA-3 finalists are pretty good at it since they have built-in HMAC functionality which aims to optimize this kind of processing, but they aren't standardized yet so it's probably best to go with SHA-256 at the moment)
C) eventually it will no longer be secure, as attacks only get better
So to conclude, HMAC does not rely on collision resistance of the underlying hash function, therefore, as paradoxal as it may seem, using it with MD5 is currently "as secure" as using it with SHA-1 from a technical point of view (ignoring the difference in fingerprint length - 128 bits is enough anyway). But that doesn't mean you should do it.
Either way, you need to build a threat model for your application first. Any work done prior to the assessment of what you are trying to protect against is misguided.