On Nov 16, 2011, at 9:32 AM, Tero Kivinen wrote: >> What you call other fancy features is what I call functional separation. >> IPsec does encryption well, but in reality it does a fairly poor job of >> tunneling. So lets have IPsec do what it does well and have GRE do what >> it does well and that is tunneling. > > So you still didn't explain what GRE does better than modern IPsec > tunneling?
I think GRE (or any tunnel that is not IPsec - like L2TP) allows them to avoid having to deal with RFC 4301 stuff like SPD. The only selector they need is for the GRE tunnel (protocol 43?) or the L2TP tunnel (UDP 1701). That means that your security policy is effectively determined by the routing protocol. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
