[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 03933) IPsec policies and multicast routing



Dear all,

I emailed this list some time ago concerning the encryption of multicast
traffic. Unfortunately for a number of reasons I was unable to engage in
an extended discussion at that time.

After more research and experiments I'll try it once again. Thanks for
your comments!

To cut a long story short: We need router being able encrypted and route
multicast IPv6 traffic. 

In general, encryption is handled by IPsec once a packet reaches the
network stack (assuming the relevant polices are defined). Although the
standard does not define multicast encryption, this works for locally
generated IPv6 traffic to a multicast address. Encryption at a single
source and decryption at any number of listeners is possible using
pre-shared passwords.

IPv6 multicast routing is accomplished through your USAGI patch to the
Kernel. However, as far as I experienced it, packets are not routed
through the "IPsec-parts" of the Kernel but bypass it. Thus encryption
cannot be applied.

A similar daemon in user space exists (mrd6 [1]) using a raw socket to
capture traffic, route it according to its own routing table, and send
it (again over a raw socket). This way IPsec polices are rendered
useless as well.

My question is: Is it possible/feasible to alter the USAGI patch such
that IPsec rules are still applied?

Are you already planning to do this?

If not, could you please give me hints on where to start such an
"endeavor"?

Thanks in advance,

Marcus

[1] http://fivebits.net/proj/mrd6
-----------------------------------------
IABG mbH
Sitz der Gesellschaft: Ottobrunn, Registergericht: Amtsgericht Muenchen, HRB 5499
Geschaeftsfuehrung: Prof. Dr.-Ing. Rudolf F. Schwarz (Vorsitz), Dipl.-Ing. Thomas Dittler, MBA
Vorsitzender des Aufsichtsrats: General a. D. Wolfgang Altenburg