How to protect RIPng or OSPFv3 with IPsec ?
VANHULLEBUS Yvan
vanhu at FreeBSD.org
Wed Sep 28 09:05:55 UTC 2011
On Tue, Sep 27, 2011 at 10:26:32PM +0200, Olivier Cochard-Labb wrote:
> Hi,
Hi.
> I'm trying to protect RIPng and OSPFv3 (I'm using Quagga and Bird),
> but I didn't know how to manage multicast traffic with setkey.
You can't: IPsec has NOT be designed to protect multicast traffic
(well, there are actually at least some drafts in progress).
> Does someone have an example of /etc/ipsec.conf for protecting RIPng or OSPF3 ?
The real question is: what exactly are you trying to protect, and on
which part of the way.....
If your goal is to provide a global ciphering/authentication for some
dynamic routing infrastructure, just forget IPsec and search something
else designed for multicast / dynamic routing.
If you need, for example, to do dynamic routing between sites which
have each a single internet connection, and an IPsec tunnel to
communicate between LANs, then you MAY be able to do something for
your multicast packets by doing some other kind of IP-IP encapsulation
before IPsec.....
Never tried that, however, I don't know exactly how to do it !
Yvan.
More information about the freebsd-net
mailing list