RE: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec

From: Andrew G. Mason (andrew@masontech.com)
Date: Wed Jul 16 2003 - 06:58:51 GMT-3

Hi,
 
Basically,
 
Transport mode encrypts the data payload of the packet whereas tunnel
mode encrypts the entire packet and creates a new header.
 
As for IPSec over GRE, this is used quite a lot in industry. It is quite
common to create a GRE tunnel and then use IPSec in transport mode to
protect the data flowing across the tunnel. This supports multicast and
also other protocols across the GRE tunnel and IMHO makes troubleshooting
a lot easier as you have an interface that you can interrogate.
 
An excellent Cisco document on the pros and cons of IPSec over GRE can be
found here -http://www.cisco.com/application/pdf/en/us/guest/netsol/ns142/c649/ccmigration_
9186a00800d67f9.pdf
 
Cheers!
 
 
 
Andrew..
 
-----Original Message-----
From: Joe Deleonardo [mailto:jdeleonardo@cox.net]
Sent: 16 July 2003 05:13
To: Vik Ahuja; Szabo, Vilmos; cciesecurity@yahoogroups.com;
ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over IPSec

http://tricolour.net/freeswan/oclug2003-01-30/tvtm.html
 
http://rfc-2828.rfc-index.org/rfc-2828-184.htm
 
Google knows all... :)
      ----- Original Message -----
From: Vik Ahuja
To: Joe Deleonardo ; Szabo, Vilmos ;
cciesecurity@yahoogroups.com ; ccielab@groupstudy.com ;
security@groupstudy.com
Sent: Tuesday, July 15, 2003 8:57 PM
Subject: Re: [cciesecurity] Re: IPSec over GRE -vs- GRE over
IPSec

Interesting. Even after passing the CCIE lab exam, I am
still trying to research the reason why transport mode is
more efficient than tunnel mode, why do you say this?, I
understand traffic analysis might be important but Cisco
seems to be big on transport mode also. I appreciate your
input or if you could point me in the right direction. Thanks
Vik Ahuja
CCIE # 11958
Joe Deleonardo <jdeleonardo@cox.net> wrote:
      I agree. Adding a GRE tunnel adds additional
      over head. You can send
      unicast routing updates. But that solution looks
      at Voice and Video. I'm
      not up on design issues for voice and video, so I
      can't comment on that
      aspect.

      This example is still GRE over IPSec, not IPSec
      over GRE. The only
      difference in this example that the IPSec tunnel
      is in transport mode.

      Transport mode is more efficient than tunnel
      mode. Transport mode is a mode
      usually established between two hosts, but it can
      be established between two
      security gateways. With transport mode however
      the IP header is not
      encrypted. You can't determine the contents of
      the packets but a traffic
      analysis can be performed. So I guess the
      question would be a case by case
      question. How important is it that traffic
      analysis not be performed?

      The original question is still there. Is there
      any reason to run IPSec over
      GRE. Or is there no such thing? It seems so far
      that the two phrases have
      just been used interchangeably? Even by Cisco.
      I re-read their SAFE paper
      today and they use IPSec over GRE and then at the
      bottom have examples for
      GRE over IPSec.

      ----- Original Message -----
      From: "Szabo, Vilmos"
      <VS183600@exchange.UnitedKingdom.NCR.COM>
      To: "'Joe Deleonardo'" <jdeleonardo@cox.net>;
      <cciesecurity@yahoogroups.com>;
      <ccielab@groupstudy.com>;
      <security@groupstudy.com>
      Sent: Tuesday, July 15, 2003 3:34 PM
      Subject: RE: IPSec over GRE -vs- GRE over IPSec

> Joe,
>
> One scenario for IPSec over GRE is 'IPSec
      Virtual Private Network
      Resilience
> Solutions' see the link:
>
      http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns241/netbr09186a0080185
> 726.html
>
> ... but I would argue with the author on this
      solution because it requires
> two GRE tunnels + two IPSec tunnels between
      Remote and Central side.
>
> In my opinion it is more simple and flexible to
      configure single IPSec
> tunnel so that its SRC and DST are terminated
      on Loopback interfaces on
> Remote and Central site routers and a Dynamic
      Routing protocol gives the
> resilency for IPSec tunnel.
>
> Let me know your opinion!
>
> Regards,
>
> Vilmos
>
> -----Original Message-----
> From: Joe Deleonardo
      [mailto:jdeleonardo@cox.net]
> Sent: 15 July 2003 19:38
> To: cciesecurity@yahoogroups.com;
      ccielab@groupstudy.com;
> security@groupstudy.com
> Subject: Re: IPSec over GRE -vs- GRE over IPSec
>
>
> About the only reason I can think of is if you
      had a requirement to use ah
> and
> you weren't allowed to do NAT before IPSec and
      NAT Transparency is not an
> option.
> ----- Original Message -----
> From: Joe Deleonardo
> To: cciesecurity@yahoogroups.com ;
      ccielab@groupstudy.com ;
> security@groupstudy.com
> Sent: Tuesday, July 15, 2003 10:08 AM
> Subject: IPSec over GRE -vs- GRE over IPSec
>
>
> IPSec over GRE -vs- GRE over IPSec.
>
> Alright is this just a play on words or
      what? GRE over IPSec makes
      sense,
> it's used to transport non unicast traffic.
>
> But why would you want to do IPSec over GRE.
      Does anyone have a link to
      a
> config example? ... if it's something?
>
> Thanks,
>
> Joe
>

      To unsubscribe from this group, send an email to:
      cciesecurity-unsubscribe@yahoogroups.com

      Your use of Yahoo! Groups is subject to the
      Yahoo! Terms of Service.

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:41 GMT-3