On Fri, Sep 06, 2013 at 11:47:59AM -0500, Thomas Johnson wrote: > I'm looking around, and not seeing anything online regarding how to > protect BIRD OSPFv3 with IPSec (at least on FreeBSD). I am able to > configure IPSec transport mode to protect unicast traffic between > routers; but multicast traffic is still transmitted without AH.
Retrospectively, assuming IPSec would provide all OSPFv3 security wasn't smartest move from IETF. Although it could worked if OSes offered socket-specific API for configuring IPSec, but AFAIK it is usually needed to configure system-wide IPSec policy database, which is problematic from routing software POV. > A number of sources seem to be setting up a GRE/IPSec tunnel between > routers, and running OSPF on that interface, facilitating multicast > traffic As traffic would be routed the same way as OSPF packets, that would also encrypt all the network traffic, which would increase routers' load many times. > Thoughts on this? Are BIRD users just skipping authentication for OSPFv3? Well, i would just separate transit (router-to-router) networks from endpoint (router-to-hosts) networks, use TTL security on transit networks and stub mode on endpoint networks. Not as secure as cryptographic alternatives, but simple, prevents most remote DoS attacks and better than nothing. > This e-mail and any files transmitted with it are confidential and are > intended solely for the use of the individual or entity to whom they are > addressed. Nnot a good idea to send such e-mail to a mailing list with public archives ;-) . -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santi...@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
signature.asc
Description: Digital signature