[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bridging non-IP traffic over IPSec

To: John Shriver <jas@shiva.com>
Subject: Re: Bridging non-IP traffic over IPSec
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Fri, 19 Feb 1999 15:57:30 -0800
CC: ebomarsi@xedia.com, ipsec@tis.com
Organization: RedCreek Communications
References: <199902191815.NAA25494@brill.shiva.com>
Sender: owner-ipsec@ex.tis.com

John Shriver wrote:
> 
> Well, there is NO need for an inner IP header when you use GRE.  You
> can do either:
> 
> 1. Use ESP in transport mode, with next header value of GRE.
> 2. Use ESP in tunnel mode, with next header value of GRE.  (Maybe this
> is illegal, and tunnel mode requires the next header to be IP?  I
> don't remember.)

I think (2) is technically illegal, although an argument exists for
special treatment. Presumably, you want to do ESP/GRE at a gateway, and
not on a host. If you *are* doing it on a host for some reason, then you
can just use transport mode, as in (1). However, RFC2401 requires that
security gateways communicate using tunnel mode unless the sgw is
terminating the connection. Now, it could be argued that the sgw *is*
terminating the GRE connection, in which case transport mode between the
GRE endpoints would be acceptable. Not bad, I guess. 

> 
> The advantage of GRE in this case is that it is an IP-level protocol,
> not a UDP-level protocol.  You don't need an IP/UDP header to navigate
> there.

It's been quite a while since I looked at the L2TP draft, but I'm under
the strong impression that it's not a UDP protocol. There may be a UDP
control channel associated with it, but I think the protocol itself
operates at layer 2. I know we have at least a few l2tp experts lurking
here - perhaps they will enlighten us.

> But, let's remember, the "client" (by the time we cut any more
> standards) will be whatever Microsoft has already decided to ship in
> Windows 2000.  If that is PPTP, that WILL be how you talk IPX over
> IPsec to Windows.  (Whether that's where you want to go today or not.)
> The NDIS WAN universe is so hairy that once Microsoft ships IPsec (in
> Windows 2000), nobody will be willing to install a different IPsec in
> it.  (Who loads an alternate TCP/IP stack into Windows 95, 98, or NT
> these days?  Same will apply to IPsec in Windows 2000.)

I don't think this is necessarily true. Given that PPTP has been shown
to be very broken (by Schneier, et al), and given that ultimately,
putting a bunch of extra bits on already overtaxed network wires is
frowned upon by most realists, even m$ may have difficulty convincing
everyone that their way is the only way, especially if someone comes up
with a GRE shim that interoperates with the rest of the world.

Follow-Ups:

RE: Bridging non-IP traffic over IPSec

From: "Sumit A. Vakil" <svakil@internetdevices.com>

Re: Bridging non-IP traffic over IPSec

From: Eric Bomarsi <ebomarsi@xedia.com>

References:

Re: Bridging non-IP traffic over IPSec

From: John Shriver <jas@shiva.com>

Prev by Date: RE: Last Call: Mobility Support in IPv6 to Proposed Standard
Next by Date: (IPng 7211) RE: Last Call: Mobility Support in IPv6 to Proposed Standard
Prev by thread: Re: Bridging non-IP traffic over IPSec
Next by thread: RE: Bridging non-IP traffic over IPSec
Index(es):
- Main
- Thread