[Olsr-users] High-level questions about encryption on OLSR ad-hoc mesh

Henning Rogge (spam-protected)
Fri Mar 25 16:51:28 CET 2011


On Friday 25 March 2011 16:47:35 Juliusz Chroboczek wrote:
> > In theory IPsec could be used for this without this drawback. In practice
> > its more difficult to setup.
> 
> The OSPF experience might be relevant here.
> 
> OSPFv2 included authentication (RFC 2328 Appendix D, and a more general
> scheme in RFC 5709).  OSPFv3 got rid of authentication, since at the
> time it was designed, IPSec was going to solve all the problems in the
> world.
> 
> It turns out that OSPFv3 cannot be easily secured with IPSec -- manual
> keying doesn't provide replay protection, while IKE doesn't work for
> multicast (see RFC 4552 and RFC 6039).  In
> draft-ietf-ospf-auth-trailer-ospfv3, the authors propose to add an
> authentication trailer that basically reproduces what RFC 5709 does for
> OSPFv2.
> 
> So it looks like even the IETF community are moving away from IPSec, at
> least for securing IGPs.
I was talking about securing the unicast traffic. Securing the flooding of a 
linkstate protocol cannot be done with IPsec in my oppinion.

And IPsec itself is really a mess.

Henning Rogge
-- 
1) You can't win.
2) You can't break even.
3) You can't leave the game.
— The Laws of Thermodynamics, summarized
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.olsr.org/pipermail/olsr-users/attachments/20110325/ec8fc6c1/attachment.sig>


More information about the Olsr-users mailing list