Date: Wed, 28 Sep 2011 11:09:46 +0200 From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me> To: VANHULLEBUS Yvan <vanhu@freebsd.org> Cc: net@freebsd.org Subject: Re: How to protect RIPng or OSPFv3 with IPsec ? Message-ID: <CA%2Bq%2BTcrUfCiU5fdHWogFUhDoz6ar-__k-zT7CNjz7Fy=YkjZBA@mail.gmail.com> In-Reply-To: <20110928084820.GA45502@zeninc.net> References: <CA%2Bq%2BTcp6u9JAFdghnYq9Axu3xnUs7qPLxhQroz4-VVxHumWPTA@mail.gmail.com> <20110928084820.GA45502@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Yvan, 2011/9/28 VANHULLEBUS Yvan <vanhu@freebsd.org>: > >> I'm trying to protect RIPng and OSPFv3 (I'm using Quagga and Bird), >> but I didn't know how to manage multicast traffic with setkey. > > You can't: IPsec has NOT be designed to protect multicast traffic > (well, there are actually at least some drafts in progress). OSPFv3 and RIPng rely on the IPv6 Authentication Header (AH) and IPv6 Encapsulating Security Payload (ESP) in order to provide integrity, authentication, and/or confidentiality. I believed that for configuring HA/ESP header on FreeBSD, I need to use IPSec (setkey)=85 But if you say that IPsec was not be designed to protect multicast traffic: How to protect RIPng/OSPFv3 (multicast based) using AH/ESP ? > > The real question is: what exactly are you trying to protect, and on > which part of the way..... > > If your goal is to provide a global ciphering/authentication for some > dynamic routing infrastructure, just forget IPsec and search something > else designed for multicast / dynamic routing. > My goal is simply to have the same security level as on my RIPv2/OSPFv2 infrastructure (that use "authentication mode md5" for RIPv2 and "authentication message-digest" for OSPFv2) to my RIPng/OSPFv3 infrastructure. Thanks, Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcrUfCiU5fdHWogFUhDoz6ar-__k-zT7CNjz7Fy=YkjZBA>