How to protect RIPng or OSPFv3 with IPsec ?

Olivier Cochard-Labbé olivier at
Wed Sep 28 09:10:07 UTC 2011

Hi Yvan,

2011/9/28 VANHULLEBUS Yvan <vanhu at>:
>> I'm trying to protect RIPng and OSPFv3 (I'm using Quagga and Bird),
>> but I didn't know how to manage multicast traffic with setkey.
> You can't: IPsec has NOT be designed to protect multicast traffic
> (well, there are actually at least some drafts in progress).

OSPFv3 and RIPng rely on the IPv6 Authentication  Header (AH) and IPv6
Encapsulating Security Payload (ESP) in order to provide integrity,
authentication, and/or confidentiality.

I believed that for configuring HA/ESP header on FreeBSD, I need to
use IPSec (setkey)… But if you say that IPsec was not be designed to
protect multicast traffic: How to protect RIPng/OSPFv3 (multicast
based) using AH/ESP ?

> The real question is: what exactly are you trying to protect, and on
> which part of the way.....
> If your goal is to provide a global ciphering/authentication for some
> dynamic routing infrastructure, just forget IPsec and search something
> else designed for multicast / dynamic routing.

My goal is simply to have the same security level as on my
RIPv2/OSPFv2 infrastructure (that use "authentication mode md5" for
RIPv2 and "authentication message-digest" for OSPFv2) to my
RIPng/OSPFv3 infrastructure.



More information about the freebsd-net mailing list