Hi.
On 06.09.2013 22:47, Thomas Johnson wrote:
I'm looking around, and not seeing anything online regarding how to
protect BIRD OSPFv3 with IPSec (at least on FreeBSD). I am able to
configure IPSec transport mode to protect unicast traffic between
routers; but multicast traffic is still transmitted without AH.
A number of sources seem to be setting up a GRE/IPSec tunnel between
routers, and running OSPF on that interface, facilitating multicast
traffic. That seems counter to performance though, wouldn't data
traffic then [needlessly] use the tunnel? Another thought I had was to
configure all OSPF interfaces as NBMA, making OSPF traffic easier to
protect.
If you are running ospf inside your own network then there is probably
no need to encrypt it with ipsec. If you are running ospf in a WAN
environment, you probaby run it inside gre/gif tunnels (which you use
for some sort of VPNs), then their traffic should be encrypted too.
I definitely cannot imagine an environment with IPSEC encrypting ospf,
but without any sort of VPN and any other VPNed traffic. Cisco/Juniper
equipment also can run an ipsec tunnel in a form of an interface capable
running dynamic routing protocols (for same purpose as the gre/gif in
FreeBSD). Linux is capable of this too, as I heard. FreeBSD cannot do
this; so far noone seems to be interested in implementing this.
Eugene.