[Xorp-users] PIM-SM routing over an IPSEC PF_KEY tunnel with no interface

Scott Mcdermott smcdermott@questra.com
Sun, 13 Mar 2005 15:23:45 -0800


I am trying to set up Xorp to route PIM-SM over IPv4 with
the neighbor I need to communicate with sitting across an
IPSEC tunnel, implemented with PF_KEY in Linux 2.6.  This
tunnel has no route or interface exported by the operating
system; instead the SPD is consulted directly and routing
occurs only after the packet has been encapsulated (or
decapsulated in the case of ingress packets).

What this means is that I have no OS interface associated
with the tunnel.

Does Xorp require such an interface in order to function
with PIM-SM? PIM messages will appear to arrive at the
system magically, without being associated with an
interface.

I'm thinking Xorp cannot work this way, and I will need to
set up a GRE tunnel or some such, over the IPSEC tunnel, so
I have a named interface I can tell Xorp about, on which to
run PIM.

Is this a correct assumption?  If possible I would like to
avoid another encapsulation with GRE or IPIP inside the ESP,
since the purpose of my multicast datagrams is to support
multimedia applications which use them, and each additional
layer of tunneling has performance implications and
introduces difficulties implementing a proper queueing
discipline.

Any info is greatly appreciated.  Thanks.