Hi Any help on this query is greatly appreciated.
Thanks, - Balaji On Thu, Jul 6, 2017 at 12:21 PM, Balaji Foss <balajig.f...@gmail.com> wrote: > Hi All, > > Im trying to implement IPSec for ospfv3 as per RFC4552 on Linux kernel > version 3.16.39. > Requirement is to support IPsec encryption/authentication for ospfv3 traffic. > As of now, this can be achieved by following set of SA and SP rules. > > ip xfrm state add src :: dst ff02::5 proto ah spi 0x401 mode transport > auth "hmac(sha1)" 0x12345678123456781234567812345678 > ip xfrm state add src :: dst ff02::6 proto ah spi 0x401 mode transport > auth "hmac(sha1)" 0x12345678123456781234567812345678 > ip xfrm state add src <sip> dst <dst_ip> proto ah spi 0x401 mode > transport auth "hmac(sha1)" 0x12345678123456781234567812345678 > ip xfrm state add src <dst_ip> dst <sip> proto ah spi 0x401 mode > transport auth "hmac(sha1)" 0x12345678123456781234567812345678 > > ip xfrm policy add dir out src <sip> dst 0::0/0 dev e101-049-0 proto > ospf priority 2147483648 tmpl proto ah spi 0x401 mode transport level > use > ip xfrm policy add dir in src 0::0/0 dst 0::0/0 dev e101-049-0 proto > ospf priority 2147483648 tmpl proto ah spi 0x401 mode transport level > use > > > One can notice that it needs four SA rules to achieve IPsec for single > OSPF interface. > Instead of these four rules, can we have a single rule with DIP as > wild card mask and the xfrm state search as based on SPI ,family and > proto alone? > > As of now, the API "__xfrm_state_lookup" search based on > SPI,family,proto and dest_addr. Is there any way I can achieve the SA > lookup without dest_addr and only with SPI,family and proto alone? > > Any help or pointers is greatly appreciated. > > Regards > Bala
