Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec

From: Joe Deleonardo (jdeleonardo@cox.net)
Date: Wed Jul 16 2003 - 01:13:12 GMT-3

• Next message: wing_lam@jossynergy.com: "BGP best prefix"
• Previous message: Snow, Tim: "RE: Num-Exp"
• Next in thread: Dana J. Dawson: "Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec"
• Maybe reply: Dana J. Dawson: "Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec"
• Maybe reply: Joe Deleonardo: "Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec"
• Maybe reply: Joe Deleonardo: "Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://tricolour.net/freeswan/oclug2003-01-30/tvtm.html
 
http://rfc-2828.rfc-index.org/rfc-2828-184.htm
 
Google knows all... :)
      ----- Original Message -----
From: Vik Ahuja
To: Joe Deleonardo ; Szabo, Vilmos ; cciesecurity@yahoogroups.com ;
ccielab@groupstudy.com ; security@groupstudy.com
Sent: Tuesday, July 15, 2003 8:57 PM
Subject: Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec

Interesting. Even after passing the CCIE lab exam, I am
still trying to research the reason why transport mode is more
efficient than tunnel mode, why do you say this?, I understand
traffic analysis might be important but Cisco seems to be big on
transport mode also. I appreciate your input or if you could point
me in the right direction. Thanks
Vik Ahuja
CCIE # 11958
Joe Deleonardo <jdeleonardo@cox.net> wrote:
      I agree. Adding a GRE tunnel adds additional over
      head. You can send
      unicast routing updates. But that solution looks at
      Voice and Video. I'm
      not up on design issues for voice and video, so I can't
      comment on that
      aspect.

      This example is still GRE over IPSec, not IPSec over
      GRE. The only
      difference in this example that the IPSec tunnel is in
      transport mode.

      Transport mode is more efficient than tunnel mode.
      Transport mode is a mode
      usually established between two hosts, but it can be
      established between two
      security gateways. With transport mode however the IP
      header is not
      encrypted. You can't determine the contents of the
      packets but a traffic
      analysis can be performed. So I guess the question
      would be a case by case
      question. How important is it that traffic analysis
      not be performed?

      The original question is still there. Is there any
      reason to run IPSec over
      GRE. Or is there no such thing? It seems so far that
      the two phrases have
      just been used interchangeably? Even by Cisco. I
      re-read their SAFE paper
      today and they use IPSec over GRE and then at the
      bottom have examples for
      GRE over IPSec.

      ----- Original Message -----
      From: "Szabo, Vilmos"
      <VS183600@exchange.UnitedKingdom.NCR.COM>
      To: "'Joe Deleonardo'" <jdeleonardo@cox.net>;
      <cciesecurity@yahoogroups.com>;
      <ccielab@groupstudy.com>;
      <security@groupstudy.com>
      Sent: Tuesday, July 15, 2003 3:34 PM
      Subject: RE: IPSec over GRE -vs- GRE over IPSec

> Joe,
>
> One scenario for IPSec over GRE is 'IPSec Virtual
      Private Network
      Resilience
> Solutions' see the link:
>
      http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns241/netbr09186a0080185
> 726.html
>
> ... but I would argue with the author on this
      solution because it requires
> two GRE tunnels + two IPSec tunnels between Remote
      and Central side.
>
> In my opinion it is more simple and flexible to
      configure single IPSec
> tunnel so that its SRC and DST are terminated on
      Loopback interfaces on
> Remote and Central site routers and a Dynamic Routing
      protocol gives the
> resilency for IPSec tunnel.
>
> Let me know your opinion!
>
> Regards,
>
> Vilmos
>
> -----Original Message-----
> From: Joe Deleonardo [mailto:jdeleonardo@cox.net]
> Sent: 15 July 2003 19:38
> To: cciesecurity@yahoogroups.com;
      ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: Re: IPSec over GRE -vs- GRE over IPSec
>
>
> About the only reason I can think of is if you had a
      requirement to use ah
> and
> you weren't allowed to do NAT before IPSec and NAT
      Transparency is not an
> option.
> ----- Original Message -----
> From: Joe Deleonardo
> To: cciesecurity@yahoogroups.com ;
      ccielab@groupstudy.com ;
> security@groupstudy.com
> Sent: Tuesday, July 15, 2003 10:08 AM
> Subject: IPSec over GRE -vs- GRE over IPSec
>
>
> IPSec over GRE -vs- GRE over IPSec.
>
> Alright is this just a play on words or what? GRE
      over IPSec makes
      sense,
> it's used to transport non unicast traffic.
>
> But why would you want to do IPSec over GRE. Does
      anyone have a link to
      a
> config example? ... if it's something?
>
> Thanks,
>
> Joe
>

      Yahoo! Groups Sponsor
      ADVERTISEMENT
      click here

      To unsubscribe from this group, send an email to:
      cciesecurity-unsubscribe@yahoogroups.com

      Your use of Yahoo! Groups is subject to the Yahoo!
      Terms of Service.

• Next message: wing_lam@jossynergy.com: "BGP best prefix"
• Previous message: Snow, Tim: "RE: Num-Exp"
• Next in thread: Dana J. Dawson: "Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec"
• Maybe reply: Dana J. Dawson: "Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec"
• Maybe reply: Joe Deleonardo: "Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec"
• Maybe reply: Joe Deleonardo: "Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:41 GMT-3