[17937] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: GRE packets

daemon@ATHENA.MIT.EDU (Paul G. Donner)
Wed Jun 17 18:43:19 1998

Date: Wed, 17 Jun 1998 18:23:57 -0400
To: danny@genuity.net
From: "Paul G. Donner" <pdonner@cisco.com>
Cc: Eric Germann <ekgermann@cctec.com>, nanog@merit.edu
In-Reply-To: <199806172223.WAA26321@ice.genuity.net>

At 03:23 PM 6/17/98 -0700, Danny McPherson wrote:
>
>Perhaps to combat this, unless I'm missing something, one could justifiably 
>deploy GRE filters with source & destination addresses of the exchange 
>subnets.  Filtering GRE in general seems nothing more than foolish.

Or the tunnel termination addresses, which while might be tighter, would
probably make the ACLs longer or more complex.

>
>-danny
>[snip] 
>(we certainly allow GRE packets and expect everyone else does, too)
>
>> This could kill IP-GRE VPNs indiscriminately.
>
>
>

home help back first fref pref prev next nref lref last post