[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bridging non-IP traffic over IPSec

To: "Scott G. Kelly" <skelly@redcreek.com>
Subject: Re: Bridging non-IP traffic over IPSec
From: Eric Bomarsi <ebomarsi@xedia.com>
Date: Fri, 19 Feb 1999 08:33:08 -0500
Cc: John Shriver <jas@shiva.com>, ipsec@tis.com
Organization: xedia.com
References: <199902182244.RAA24979@brill.shiva.com> <36CCBCED.A7B5FA62@redcreek.com>
Sender: owner-ipsec@ex.tis.com


For site-to-site LAN bridging over IPSec, the GRE solution
seems unnecessarily complex:

1) The redundant headers:
    IP/ESP/IP/GRE/<eth-frame>
2) The additional administrator config to set up the GRE tunnel.
3) The 2nd redundant pass through the IP forwarder.

Instead, why not simply use the "Ethernet-Transparent-Bridging"
protocol identifier used in the GRE header in the ESP protocol
field and eliminate the GRE tunnel:
    IP/ESP/<eth-frame>

This is far simpler for me to stack in my gateway, more efficient,
and eliminates administrator config. Am I missing something?

/Eric Bomarsi

"Scott G. Kelly" wrote:

> John Shriver wrote:
> >
> > Well, GRE is an Informational RFC, so GRE is not likely to be part of
> > an IETF Proposed Standard solution.  But, if you do it, you sure will
> > be interoperable with Cisco...
> >
> > Certainly, it will work, and you can express GRE in the SPD.  But, the
> > SPD (and IKE negotiation) can't really negotiate what goes over the
> > GRE.  Is IP allowed over it?  IPX?  Transparent bridging?
> >
>
> This is a timely topic, I guess. I would say that what goes over GRE is
> a local policy issue, and probably not an ipsec issue per se. That is,
> it would be up to your GRE subsystem to determine what it is willing to
> encapsulate, and then up to you ipsec subsystem to determine if policy
> permits GRE to pass. On the other hand, I guess looking into a GRE
> packet to see what protocol is being encapsulated is not really that
> much different than looking into a tcp/udp packet to see what ports are
> involved, so maybe it's not such a far-fetched idea, at that.
>
> > One thing that is standards track, and people have been implementing,
> > is L2TP.  Put PPP over that, and then you have a place to run non-IP
> > traffic.
> >
> > Again, the SPD can't really control what goes over.  But, you can
> > express the L2TP UDP port in the SPD.
> >
> > As above, you will be interoperable with Cisco.
> >
>
> I guess the main problem I have with using l2tp in this case has to do
> with efficiency. Unless l2tp has radically changed in the last 2 years,
> I think it really is overkill for this particular use. Perhaps it's time
> to dust off the GRE RFC and rev it...

Follow-Ups:

Re: Bridging non-IP traffic over IPSec

From: John Shriver <jas@shiva.com>

Re: Bridging non-IP traffic over IPSec

From: Stephen Kent <kent@bbn.com>

References:

Re: Bridging non-IP traffic over IPSec

From: John Shriver <jas@shiva.com>

Re: Bridging non-IP traffic over IPSec

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Strawman Text for Section 3.5 of "IPSec/PKI Req'ts" draft
Next by Date: Re: Bridging non-IP traffic over IPSec
Prev by thread: Re: Bridging non-IP traffic over IPSec
Next by thread: Re: Bridging non-IP traffic over IPSec
Index(es):
- Main
- Thread