On Thu, 2019-08-08 at 15:04 +0200, Ondrej Zajicek wrote:
> CAUTION: This email originated from outside of the organization. Do not click 
> links or open attachments unless you recognize the sender and know the 
> content is safe.
> On Mon, Jun 17, 2019 at 10:59:00AM +0000, Kenth Eriksson wrote:
> > Hi!
> Hi
> Sorry for late reply, i finally got to answer some mails i missed in the
> past due to my mail delivery issue:
> https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbird.network.cz%2Fpipermail%2Fbird-users%2F2019-July%2F013549.html&data=02%7C01%7CKenth.Eriksson%40infinera.com%7C39c6db479d124f523b6f08d71c00eb1e%7C285643de5f5b4b03a1530ae2dc8aaf77%7C1%7C1%7C637008662586956181&sdata=sA9GpeuaHvTXkjIVJZf1qXDzZhSFkJeq%2Ff2NYBLyW0c%3D&reserved=0
> > What is the plan for IPsec with regards to OSPFv3? Is it part of
> > roadmap?
> We do not have any plans for IPsec for OSPFv3. AFAIK, IPsec is not well
> suited for multicast and RFC 7166 is a better solution for OSPFv3.

It's great that bird supports RFC 7166, but unfortunately interop will
be limited. AFAIK, Juniper does not support RFC 7166. Cisco seems to
have partial support for RFC 7166. 
> OTOH, it is something that seems to be easy to implement, as it is just
> a few syscalls to configure manual SA entries. So patches are welcome.

A few syscalls, can you elaborate? I thought you need iproute2 to setup
'ip xfrm' policies? Or you mean it can be done thru netlink layer

> > If not a roadmap item, what is the recommended way to get IPsec support
> > for OSPFv3 with bird? libreswan?
> Where was setkey command from ipsec-tools, which would likely allow
> configuring manual SA entries necessary for OSPFv3, but it seems to be
> abandoned.

> I do not think that libreswan or other dynamic keying daemons are
> applicable for OSPFv3 due to its multicast nature.
> --
> Elen sila lumenn' omentielvo
> Ondrej 'Santiago' Zajicek (email: santi...@crfreenet.org)
> OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
> "To err is human -- to blame it on a computer is even more so."

Reply via email to