IPsec (OSPFv3)
Kenth Eriksson
Kenth.Eriksson at infinera.com
Mon Aug 19 13:05:50 CEST 2019
On Thu, 2019-08-08 at 15:04 +0200, Ondrej Zajicek wrote:
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> On Mon, Jun 17, 2019 at 10:59:00AM +0000, Kenth Eriksson wrote:
> > Hi!
>
> Hi
>
> Sorry for late reply, i finally got to answer some mails i missed in the
> past due to my mail delivery issue:
>
> https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbird.network.cz%2Fpipermail%2Fbird-users%2F2019-July%2F013549.html&data=02%7C01%7CKenth.Eriksson%40infinera.com%7C39c6db479d124f523b6f08d71c00eb1e%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C1%7C637008662586956181&sdata=sA9GpeuaHvTXkjIVJZf1qXDzZhSFkJeq%2Ff2NYBLyW0c%3D&reserved=0
>
>
> > What is the plan for IPsec with regards to OSPFv3? Is it part of
> > roadmap?
>
> We do not have any plans for IPsec for OSPFv3. AFAIK, IPsec is not well
> suited for multicast and RFC 7166 is a better solution for OSPFv3.
>
It's great that bird supports RFC 7166, but unfortunately interop will
be limited. AFAIK, Juniper does not support RFC 7166. Cisco seems to
have partial support for RFC 7166.
> OTOH, it is something that seems to be easy to implement, as it is just
> a few syscalls to configure manual SA entries. So patches are welcome.
>
A few syscalls, can you elaborate? I thought you need iproute2 to setup
'ip xfrm' policies? Or you mean it can be done thru netlink layer
directly?
>
> > If not a roadmap item, what is the recommended way to get IPsec support
> > for OSPFv3 with bird? libreswan?
>
> Where was setkey command from ipsec-tools, which would likely allow
> configuring manual SA entries necessary for OSPFv3, but it seems to be
> abandoned.
>
> I do not think that libreswan or other dynamic keying daemons are
> applicable for OSPFv3 due to its multicast nature.
>
> --
> Elen sila lumenn' omentielvo
>
> Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
> OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
> "To err is human -- to blame it on a computer is even more so."
More information about the Bird-users
mailing list