Saturday, June 27, 2020

SVTI's Supporting Routing Protocols

I would like to understand the reason why SVTI's can support routing protocols and multicast. In the old-school way that I'm used to, we use to use crypto maps for IPSec traffic. IPsec doesn't natively support multicast and broadcast traffic (it supported only unicast), which is why a tunnelling-protocol was invented (GRE) to carry another IP payload that did support multicasting (thus hiding the multicast routing-protocol hello's behind a GRE header, allowing you to tunnel multicast traffic over an IPSec tunnel via a 3rd IP header). But digging into a packet capture of an SVTI, which I know does support multicast traffic, I find that no additional headers are added at all. So how is it then, that IPSec only supports unicast traffic, but if you shove it down a virtual tunnel interface, multicast works (thus routing protocols work)? What has changed to allow the use of multicast down this IPSec tunnel with an SVTI?



No comments:

Post a Comment