[17977] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: GRE packets

daemon@ATHENA.MIT.EDU (C. Harald Koch)
Fri Jun 19 01:29:44 1998

To: John Hawkinson <jhawk@bbnplanet.com>
Cc: nanog@merit.edu
In-reply-to: Your message of "Wed, 17 Jun 1998 15:54:58 -0400".
	 <199806171954.PAA14489@all-purpose-gunk.near.net> 
From: "C. Harald Koch" <chk@utcc.utoronto.ca>
Date: Wed, 17 Jun 1998 22:20:48 -0400

In message <199806171954.PAA14489@all-purpose-gunk.near.net>, John Hawkinson writes:
> > Anyone have a definitive list or info on network operators who definately
> > allow or definately disallow GRE packets across their networks.
> > 
> > Sorry for the semi-operational content :)
> 
> It's hard to imagine any serious network providers who would
> block arbitrary kinds of traffic.

Several others have posted replies on this topic, but they've missed the most
common situation. I've seen (major) network providers with the following
access rules in their routers:

	allow tcp
	allow udp
	allow icmp
	deny *

While not explicitly blocking GRE, they're implicitly dropping everything
(including IPsec traffic, which is how I found this; my corporate VPNs weren't
working :-).

Of course, trying to get this resolved took *weeks*, because I couldn't talk
to anybody who understood that there were protocols besides the ones listed
above... *sigh.

-- 
Harald Koch <chk@utcc.utoronto.ca>

home help back first fref pref prev next nref lref last post