|Main Archive Page > Month Archives > ipsec archives|
Thanks for your comments, see inline.
2008/6/12 Julien Laganier <julien.IETF@laposte.net>:
> On Thursday 12 June 2008, Tero Kivinen wrote:
>> Julien Laganier writes:
>> > FWIW, it's the same when IPsec transport mode protection is applied
>> > to an IP-within-IP tunnel -- IPsec does not inspect the inner
>> > header, only the outer.
>> Yes, and RFC4301 has warning about that:
> Yes, tunneled traffic escape IPsec access control. The same applies if
> one configures IPsec transport mode to protect traffic sent from SRC to
> DST and protocol number GRE. And adding the GRE key as a traffic
> selector would not change the situation, as I'm arguing in another note
> on the topic.
Here GRE key has been used for some special purpose, the incentive will be more than protection of GRE protocol.