On Nov 16, 2011, at 1:45 PM, Tero Kivinen wrote: > Yoav Nir writes: >>> So you still didn't explain what GRE does better than modern IPsec >>> tunneling? >> >> I think GRE (or any tunnel that is not IPsec - like L2TP) allows >> them to avoid having to deal with RFC 4301 stuff like SPD. The only >> selector they need is for the GRE tunnel (protocol 43?) or the L2TP >> tunnel (UDP 1701). > > I.e. bypass the security mechanishms provided the security protocol.
Yes! >> That means that your security policy is effectively determined by >> the routing protocol. > > I.e. move the security from the security protocol to something else > which is not a security protocol. Is this really something we want to > do? Define "we" > Who is going to make sure the end result is secure? The customer _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec