From owner-freebsd-net@FreeBSD.ORG Wed Sep 28 09:10:07 2011 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B3DF106566C for ; Wed, 28 Sep 2011 09:10:07 +0000 (UTC) (envelope-from cochard@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 42EA28FC25 for ; Wed, 28 Sep 2011 09:10:06 +0000 (UTC) Received: by qyk10 with SMTP id 10so2213575qyk.13 for ; Wed, 28 Sep 2011 02:10:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=KbcLrNGklRD5uBFOJnfuXaUw+gBw30WZeryZ7DBQHE4=; b=EyPup23Wmo/5JJ1yzx6TWrDI6nMAGXg+ty2d7X27ZVbt6wjDxR2yLsKAIimyN11P8J oBbcacBDM+160kVu0FpzT5Fib2h7HG4sux4jXF0vUPoSQbDFk5Y2KepDLeY9L5u6DmB4 eNYbzArZYV0uGYFyuFU0WnZyxEHsDXAIlppQw= Received: by 10.224.196.199 with SMTP id eh7mr6579574qab.302.1317201006120; Wed, 28 Sep 2011 02:10:06 -0700 (PDT) MIME-Version: 1.0 Sender: cochard@gmail.com Received: by 10.229.80.13 with HTTP; Wed, 28 Sep 2011 02:09:46 -0700 (PDT) In-Reply-To: <20110928084820.GA45502@zeninc.net> References: <20110928084820.GA45502@zeninc.net> From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= Date: Wed, 28 Sep 2011 11:09:46 +0200 X-Google-Sender-Auth: dKGpYgihjX0hsI8eizs87IiB_8M Message-ID: To: VANHULLEBUS Yvan Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: net@freebsd.org Subject: Re: How to protect RIPng or OSPFv3 with IPsec ? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2011 09:10:07 -0000 Hi Yvan, 2011/9/28 VANHULLEBUS Yvan : > >> I'm trying to protect RIPng and OSPFv3 (I'm using Quagga and Bird), >> but I didn't know how to manage multicast traffic with setkey. > > You can't: IPsec has NOT be designed to protect multicast traffic > (well, there are actually at least some drafts in progress). OSPFv3 and RIPng rely on the IPv6 Authentication Header (AH) and IPv6 Encapsulating Security Payload (ESP) in order to provide integrity, authentication, and/or confidentiality. I believed that for configuring HA/ESP header on FreeBSD, I need to use IPSec (setkey)=85 But if you say that IPsec was not be designed to protect multicast traffic: How to protect RIPng/OSPFv3 (multicast based) using AH/ESP ? > > The real question is: what exactly are you trying to protect, and on > which part of the way..... > > If your goal is to provide a global ciphering/authentication for some > dynamic routing infrastructure, just forget IPsec and search something > else designed for multicast / dynamic routing. > My goal is simply to have the same security level as on my RIPv2/OSPFv2 infrastructure (that use "authentication mode md5" for RIPv2 and "authentication message-digest" for OSPFv2) to my RIPng/OSPFv3 infrastructure. Thanks, Olivier