It might sound dumb to a lot of redditer on this community, but today i learn something and i want to share it with you.
A bit of context : a colleague tell me me yesterday that some network team plan to use GRE tunnel between two LAN of the company. I already used GRE in the past, but i was not aware it was still used in 2019. We were both surprised and we try to understand the need of a GRE tunnel in our case.
After a short digging in the docs/google, i managed to understand the true reason :
- Routing protocols like OSPF or EIGRP use multicast address to discover each other (example : address of all OSPF router is 224.0.0.5)
- IPsec is, by design, unicast only, it does not support multicast nor broadcast. (see RFC 4301 : " The SPD [Security policy database] does not include support for multicast address entries. ")
- GRE mean "Generic Rounting Encapsulation" (pretty clear isn't it ?) and is aimed to encapsulate multicast in unicast header.
That's why you need GRE over IPsecv1 and v2. :)
Since 2011, however, it seem that IPsecv3 introduce some evolutions that allow multicast :
- " More detailed descriptions of IPsec processing, both unicast and multicast, and the interactions among the various IPsec databases"
- " More flexible SPD (Security Policy Database) selectors, including ranges of values and ICMP message types as selectors"
Source : https://tools.ietf.org/html/rfc6071
One question left : did anyone here already try OSPF/EIGRP over IPsec and can share some feedback on performances?
Hope this was useful. ;)
No comments:
Post a Comment