Date: Wed, 28 Sep 2011 10:48:20 +0200 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: Olivier =?iso-8859-1?Q?Cochard-Labb=E9?= <olivier@cochard.me> Cc: net@freebsd.org Subject: Re: How to protect RIPng or OSPFv3 with IPsec ? Message-ID: <20110928084820.GA45502@zeninc.net> In-Reply-To: <CA%2Bq%2BTcp6u9JAFdghnYq9Axu3xnUs7qPLxhQroz4-VVxHumWPTA@mail.gmail.com> References: <CA%2Bq%2BTcp6u9JAFdghnYq9Axu3xnUs7qPLxhQroz4-VVxHumWPTA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 27, 2011 at 10:26:32PM +0200, Olivier Cochard-Labb wrote: > Hi, Hi. > I'm trying to protect RIPng and OSPFv3 (I'm using Quagga and Bird), > but I didn't know how to manage multicast traffic with setkey. You can't: IPsec has NOT be designed to protect multicast traffic (well, there are actually at least some drafts in progress). > Does someone have an example of /etc/ipsec.conf for protecting RIPng or OSPF3 ? The real question is: what exactly are you trying to protect, and on which part of the way..... If your goal is to provide a global ciphering/authentication for some dynamic routing infrastructure, just forget IPsec and search something else designed for multicast / dynamic routing. If you need, for example, to do dynamic routing between sites which have each a single internet connection, and an IPsec tunnel to communicate between LANs, then you MAY be able to do something for your multicast packets by doing some other kind of IP-IP encapsulation before IPsec..... Never tried that, however, I don't know exactly how to do it ! Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110928084820.GA45502>