[17937] in North American Network Operators' Group
Re: GRE packets
daemon@ATHENA.MIT.EDU (Paul G. Donner)
Wed Jun 17 18:43:19 1998
Date: Wed, 17 Jun 1998 18:23:57 -0400
To: danny@genuity.net
From: "Paul G. Donner" <pdonner@cisco.com>
Cc: Eric Germann <ekgermann@cctec.com>, nanog@merit.edu
In-Reply-To: <199806172223.WAA26321@ice.genuity.net>
At 03:23 PM 6/17/98 -0700, Danny McPherson wrote:
>
>Perhaps to combat this, unless I'm missing something, one could justifiably
>deploy GRE filters with source & destination addresses of the exchange
>subnets. Filtering GRE in general seems nothing more than foolish.
Or the tunnel termination addresses, which while might be tighter, would
probably make the ACLs longer or more complex.
>
>-danny
>[snip]
>(we certainly allow GRE packets and expect everyone else does, too)
>
>> This could kill IP-GRE VPNs indiscriminately.
>
>
>