How to protect RIPng or OSPFv3 with IPsec ?

VANHULLEBUS Yvan vanhu at
Wed Sep 28 13:44:41 UTC 2011

On Wed, Sep 28, 2011 at 11:09:46AM +0200, Olivier Cochard-Labb wrote:
> Hi Yvan,
> 2011/9/28 VANHULLEBUS Yvan <vanhu at>:
> >
> >> I'm trying to protect RIPng and OSPFv3 (I'm using Quagga and Bird),
> >> but I didn't know how to manage multicast traffic with setkey.
> >
> > You can't: IPsec has NOT be designed to protect multicast traffic
> > (well, there are actually at least some drafts in progress).
> OSPFv3 and RIPng rely on the IPv6 Authentication  Header (AH) and IPv6
> Encapsulating Security Payload (ESP) in order to provide integrity,
> authentication, and/or confidentiality.
> I believed that for configuring HA/ESP header on FreeBSD, I need to
> use IPSec (setkey)? But if you say that IPsec was not be designed to
> protect multicast traffic: How to protect RIPng/OSPFv3 (multicast
> based) using AH/ESP ?

That's right: IPsec has been designed for unicast packets.....

After quickly reading RFC 4552 (sections 6 and 7), looks like someone
had the good idea to go back to manual keying to be able to do some
kind of IPsec on multicast packets (well, I'm still not sure IPsec is
used for multicast packets, OSPF also seems to sends unicast packets).

Such "shared SAs" should resolve some multicast related issues, but
the way SPD entries should be created for that is still unclear for
me, sorry.....

Section 6 of RFC 4552 also seems to have at least one requirement not
actually provided by FreeBSD's IPsec stack (well, at least, I don't
know how to configure that on FreeBSD....): multiple SPD...


More information about the freebsd-net mailing list