IPsec (OSPFv3)

Ondrej Zajicek santiago at crfreenet.org
Mon Aug 19 13:29:52 CEST 2019 

On Mon, Aug 19, 2019 at 11:05:50AM +0000, Kenth Eriksson wrote:
> On Thu, 2019-08-08 at 15:04 +0200, Ondrej Zajicek wrote:
> > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> > 
> > 
> > On Mon, Jun 17, 2019 at 10:59:00AM +0000, Kenth Eriksson wrote:
> > > Hi!
> > 
> > Hi
> > 
> > Sorry for late reply, i finally got to answer some mails i missed in the
> > past due to my mail delivery issue:
> > 
> > https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbird.network.cz%2Fpipermail%2Fbird-users%2F2019-July%2F013549.html&data=02%7C01%7CKenth.Eriksson%40infinera.com%7C39c6db479d124f523b6f08d71c00eb1e%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C1%7C637008662586956181&sdata=sA9GpeuaHvTXkjIVJZf1qXDzZhSFkJeq%2Ff2NYBLyW0c%3D&reserved=0
> > 
> > 
> > > What is the plan for IPsec with regards to OSPFv3? Is it part of
> > > roadmap?
> > 
> > We do not have any plans for IPsec for OSPFv3. AFAIK, IPsec is not well
> > suited for multicast and RFC 7166 is a better solution for OSPFv3.
> > 
> 
> It's great that bird supports RFC 7166, but unfortunately interop will
> be limited. AFAIK, Juniper does not support RFC 7166. Cisco seems to
> have partial support for RFC 7166. 
>  
> > OTOH, it is something that seems to be easy to implement, as it is just
> > a few syscalls to configure manual SA entries. So patches are welcome.
> > 
> 
> A few syscalls, can you elaborate? I thought you need iproute2 to setup
> 'ip xfrm' policies? Or you mean it can be done thru netlink layer
> directly?

Yes, setting SA/SP entries directly through netlink.

There is already code sysdep/bsd/setkey.h that adds SA entries for TCP
MD5 signature mechanism on BSD. I guess adding SA entries for IPsec is
not that much different. Of course, on Linux it would use Netlink
instead of PF_KEY socket.

-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."

More information about the Bird-users mailing list