IPSec design for OSPFv3?
Ondrej Zajicek
santiago at crfreenet.org
Fri Sep 6 22:20:24 CEST 2013
On Fri, Sep 06, 2013 at 11:47:59AM -0500, Thomas Johnson wrote:
> I'm looking around, and not seeing anything online regarding how to
> protect BIRD OSPFv3 with IPSec (at least on FreeBSD). I am able to
> configure IPSec transport mode to protect unicast traffic between
> routers; but multicast traffic is still transmitted without AH.
Retrospectively, assuming IPSec would provide all OSPFv3 security
wasn't smartest move from IETF.
Although it could worked if OSes offered socket-specific API for
configuring IPSec, but AFAIK it is usually needed to configure
system-wide IPSec policy database, which is problematic from
routing software POV.
> A number of sources seem to be setting up a GRE/IPSec tunnel between
> routers, and running OSPF on that interface, facilitating multicast
> traffic
As traffic would be routed the same way as OSPF packets, that would also
encrypt all the network traffic, which would increase routers' load many
times.
> Thoughts on this? Are BIRD users just skipping authentication for OSPFv3?
Well, i would just separate transit (router-to-router) networks from
endpoint (router-to-hosts) networks, use TTL security on transit
networks and stub mode on endpoint networks. Not as secure as
cryptographic alternatives, but simple, prevents most remote DoS attacks
and better than nothing.
> This e-mail and any files transmitted with it are confidential and are
> intended solely for the use of the individual or entity to whom they are
> addressed.
Nnot a good idea to send such e-mail to a mailing list with public
archives ;-) .
--
Elen sila lumenn' omentielvo
Ondrej 'SanTiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20130906/cef124da/attachment-0001.asc>
More information about the Bird-users
mailing list