From owner-freebsd-net@FreeBSD.ORG  Wed Sep 28 09:05:55 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 486C3106566B
	for <net@freebsd.org>; Wed, 28 Sep 2011 09:05:55 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (smtp.zeninc.net [80.67.176.25])
	by mx1.freebsd.org (Postfix) with ESMTP id F178E8FC17
	for <net@freebsd.org>; Wed, 28 Sep 2011 09:05:54 +0000 (UTC)
Received: from astro.zen.inc (astro.zen.inc [192.168.1.239])
	by smtp.zeninc.net (smtpd) with ESMTP id 5A0182798C2;
	Wed, 28 Sep 2011 10:48:20 +0200 (CEST)
Received: by astro.zen.inc (Postfix, from userid 1000)
	id 457CF17050; Wed, 28 Sep 2011 10:48:20 +0200 (CEST)
Date: Wed, 28 Sep 2011 10:48:20 +0200
From: VANHULLEBUS Yvan <vanhu@FreeBSD.org>
To: Olivier =?iso-8859-1?Q?Cochard-Labb=E9?= <olivier@cochard.me>
Message-ID: <20110928084820.GA45502@zeninc.net>
References: <CA+q+Tcp6u9JAFdghnYq9Axu3xnUs7qPLxhQroz4-VVxHumWPTA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+q+Tcp6u9JAFdghnYq9Axu3xnUs7qPLxhQroz4-VVxHumWPTA@mail.gmail.com>
User-Agent: All mail clients suck. This one just sucks less.
Cc: net@freebsd.org
Subject: Re: How to protect RIPng or OSPFv3 with IPsec ?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 09:05:55 -0000

On Tue, Sep 27, 2011 at 10:26:32PM +0200, Olivier Cochard-Labb wrote:
> Hi,

Hi.


> I'm trying to protect RIPng and OSPFv3 (I'm using Quagga and Bird),
> but I didn't know how to manage multicast traffic with setkey.

You can't: IPsec has NOT be designed to protect multicast traffic
(well, there are actually at least some drafts in progress).

> Does someone have an example of /etc/ipsec.conf for protecting RIPng or OSPF3 ?

The real question is: what exactly are you trying to protect, and on
which part of the way.....

If your goal is to provide a global ciphering/authentication for some
dynamic routing infrastructure, just forget IPsec and search something
else designed for multicast / dynamic routing.


If you need, for example, to do dynamic routing between sites which
have each a single internet connection, and an IPsec tunnel to
communicate between LANs, then you MAY be able to do something for
your multicast packets by doing some other kind of IP-IP encapsulation
before IPsec.....


Never tried that, however, I don't know exactly how to do it !



Yvan.