[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bridging non-IP traffic over IPSec
John Shriver wrote:
>
> Well, GRE is an Informational RFC, so GRE is not likely to be part of
> an IETF Proposed Standard solution. But, if you do it, you sure will
> be interoperable with Cisco...
>
> Certainly, it will work, and you can express GRE in the SPD. But, the
> SPD (and IKE negotiation) can't really negotiate what goes over the
> GRE. Is IP allowed over it? IPX? Transparent bridging?
>
This is a timely topic, I guess. I would say that what goes over GRE is
a local policy issue, and probably not an ipsec issue per se. That is,
it would be up to your GRE subsystem to determine what it is willing to
encapsulate, and then up to you ipsec subsystem to determine if policy
permits GRE to pass. On the other hand, I guess looking into a GRE
packet to see what protocol is being encapsulated is not really that
much different than looking into a tcp/udp packet to see what ports are
involved, so maybe it's not such a far-fetched idea, at that.
> One thing that is standards track, and people have been implementing,
> is L2TP. Put PPP over that, and then you have a place to run non-IP
> traffic.
>
> Again, the SPD can't really control what goes over. But, you can
> express the L2TP UDP port in the SPD.
>
> As above, you will be interoperable with Cisco.
>
I guess the main problem I have with using l2tp in this case has to do
with efficiency. Unless l2tp has radically changed in the last 2 years,
I think it really is overkill for this particular use. Perhaps it's time
to dust off the GRE RFC and rev it...
Follow-Ups:
References: