On Fri, Sep 06, 2013 at 11:47:59AM -0500, Thomas Johnson wrote:
I'm looking around, and not seeing anything online regarding how to protect BIRD OSPFv3 with IPSec (at least on FreeBSD). I am able to configure IPSec transport mode to protect unicast traffic between routers; but multicast traffic is still transmitted without AH.
Retrospectively, assuming IPSec would provide all OSPFv3 security wasn't smartest move from IETF. Although it could worked if OSes offered socket-specific API for configuring IPSec, but AFAIK it is usually needed to configure system-wide IPSec policy database, which is problematic from routing software POV.
A number of sources seem to be setting up a GRE/IPSec tunnel between routers, and running OSPF on that interface, facilitating multicast traffic
As traffic would be routed the same way as OSPF packets, that would also encrypt all the network traffic, which would increase routers' load many times.
Thoughts on this? Are BIRD users just skipping authentication for OSPFv3?
Well, i would just separate transit (router-to-router) networks from endpoint (router-to-hosts) networks, use TTL security on transit networks and stub mode on endpoint networks. Not as secure as cryptographic alternatives, but simple, prevents most remote DoS attacks and better than nothing.
This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed.
Nnot a good idea to send such e-mail to a mailing list with public archives ;-) . -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."