Perhaps to combat this, unless I'm missing something, one could justifiably deploy GRE filters with source & destination addresses of the exchange subnets. Filtering GRE in general seems nothing more than foolish. -danny [snip] (we certainly allow GRE packets and expect everyone else does, too)
This could kill IP-GRE VPNs indiscriminately.
At 03:23 PM 6/17/98 -0700, Danny McPherson wrote:
Perhaps to combat this, unless I'm missing something, one could justifiably deploy GRE filters with source & destination addresses of the exchange subnets. Filtering GRE in general seems nothing more than foolish.
Or the tunnel termination addresses, which while might be tighter, would probably make the ACLs longer or more complex.
-danny [snip] (we certainly allow GRE packets and expect everyone else does, too)
This could kill IP-GRE VPNs indiscriminately.
On Wed, 17 Jun 1998, Danny McPherson wrote:
Perhaps to combat this, unless I'm missing something, one could justifiably deploy GRE filters with source & destination addresses of the exchange subnets.
What's the point of this? Wouldn't it make more sense to just run a sniffer on the exchange fabric looking for such GRE tunnels and then kick the offending parties out of the exchange? Seems to me this has happened at least once at LINX. -- Michael Dillon - Internet & ISP Consulting Memra Communications Inc. - E-mail: michael@memra.com Check the website for my Internet World articles - http://www.memra.com
Perhaps to combat this, unless I'm missing something, one could justifiably deploy GRE filters with source & destination addresses of the exchange subnets. Filtering GRE in general seems nothing more than foolish.
I posted an FYI on how to detect & prevent abuse by tunneling through exchange points a while ago. I anyone is interested I'll post it again or perhaps get it put up on the web. -- Alex Bligh GX Networks (formerly Xara Networks)
participants (4)
-
Alex Bligh
-
Danny McPherson
-
Michael Dillon
-
Paul G. Donner