On Mon, Aug 19, 2019 at 11:05:50AM +0000, Kenth Eriksson wrote: > On Thu, 2019-08-08 at 15:04 +0200, Ondrej Zajicek wrote: > > CAUTION: This email originated from outside of the organization. Do not > > click links or open attachments unless you recognize the sender and know > > the content is safe. > > > > > > On Mon, Jun 17, 2019 at 10:59:00AM +0000, Kenth Eriksson wrote: > > > Hi! > > > > Hi > > > > Sorry for late reply, i finally got to answer some mails i missed in the > > past due to my mail delivery issue: > > > > https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbird.network.cz%2Fpipermail%2Fbird-users%2F2019-July%2F013549.html&data=02%7C01%7CKenth.Eriksson%40infinera.com%7C39c6db479d124f523b6f08d71c00eb1e%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C1%7C637008662586956181&sdata=sA9GpeuaHvTXkjIVJZf1qXDzZhSFkJeq%2Ff2NYBLyW0c%3D&reserved=0 > > > > > > > What is the plan for IPsec with regards to OSPFv3? Is it part of > > > roadmap? > > > > We do not have any plans for IPsec for OSPFv3. AFAIK, IPsec is not well > > suited for multicast and RFC 7166 is a better solution for OSPFv3. > > > > It's great that bird supports RFC 7166, but unfortunately interop will > be limited. AFAIK, Juniper does not support RFC 7166. Cisco seems to > have partial support for RFC 7166. > > > OTOH, it is something that seems to be easy to implement, as it is just > > a few syscalls to configure manual SA entries. So patches are welcome. > > > > A few syscalls, can you elaborate? I thought you need iproute2 to setup > 'ip xfrm' policies? Or you mean it can be done thru netlink layer > directly?
Yes, setting SA/SP entries directly through netlink. There is already code sysdep/bsd/setkey.h that adds SA entries for TCP MD5 signature mechanism on BSD. I guess adding SA entries for IPsec is not that much different. Of course, on Linux it would use Netlink instead of PF_KEY socket. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: [email protected]) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
