Great Circle Associates Firewalls
(April 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: IP-Tunnelling
From: Chris Lonvick <clonvick @ cisco . com>
Date: Wed, 30 Apr 1997 07:59:49 -0500
To: Sandeep Kumar Talwar <sandeep @ synergy . net>, firewalls @ GreatCircle . COM 
Hello Sandeep,

Usually when firewalls talk together it is to form a Virtual Private
Network (VPN).  One of the main goals is for confidentiality (privacy)
of the data being transmitted between the sites - this involves
encryption.  Firewalls can make use of standards like those in the
IPSEC working group of the IETF 
  http://www.ietf.org/html.charters/ipsec-charter.html 
or they can use proprietary encryption methods.  Those are generally
going away as most Firewall vendors are promoting interoperability.
Take a look at the S/WAN project
  http://www.rsa.com/rsa/SWAN/
These firewalls are using the Tunnel Mode of the Encapsulating
Security Payload (ESP) from RFC-1827
  ftp://ds.internic.net/rfc/rfc1827.txt

As long as you're working with a single firewall vendor, they should
be able to encapsulate/decapsulate any protocol, although I've not 
heard of many that support anything other than IP.  If you're not, then
you're going to want some standards like MobileIP 
  http://www.ietf.org/html.charters/mobileip-charter.html
and stuff like RFC-2003 and 2004.

If your firewall doesn't support the protocol that you want transported,
then you're going to have to find some other way.  For instance, if 
you're trying to transport IPX, then you may find that the best way is
to enable the TCP/IP drivers on your clients and servers so they can
natively use this protocol.  If you don't want to do that, there are
devices which can encapsulate the protocol of your choice within IP,
and hand it off to your firewall.  The firewall will need to recognize 
that this traffic needs to be sent to the partner firewall.  You may
want to look at Generic Route Encapsulation (I think that this is a
standard but I can't find the reference), Data Link Switching (DLSw -
a standard), or RSRB (Remote Source Route Bridging - precursor to 
DLSw, Cisco does it in a proprietary manner.)  Each of these 
encapsulates stuff into IP packets for transport.

If you're crossing an untrusted network (e.g. - the Internet), then
I would NOT link the encapsulating/decapsulating device directly to
the Internet.  I'd place it behind the firewall to minimize exposed
devices.  Be aware that performance may be bad since you're going
through encapsulation/encryption/transporting/decryption/decapsulation.
(Whew!)

Hope this helps,

Chris Lonvick
Cisco Systems
Consulting Engineering
Houston, TX, USA
+1.713.778.5663


At 05:10 AM 4/30/97 -0500, Sandeep Kumar Talwar wrote:
>
>Ip tunnelling is encapsulating IP packets or some other protocol packets
>such as IPX etc.Is this right? 
>Then when two firewalls talk to each other we say that an IP-tunnel has
>been established.Is this also correct?
>Where actually does IP-tunnelling take place.Is it the router.
>Can we have IP-Tunnelling other than with the help of Firewall.I heard 
>about Ioannidis swipe protocol.
>Any advise on my queries would be greatly appreciated.
>Thanks in advance.
>Regards....Sandeep
>
>
>
Indexed By Date Previous: Re: NT vs Linux IP Performance
From: Joe Loiacono <jloiacon @ csc . com>
Next: Re: Firewall-1 log files
From: jonesmd @ newman (Mike Jones)
Indexed By Thread Previous: Re: IP-Tunnelling
From: Eric Vyncke <evyncke @ cisco . com>
Next: Tervehdys
From: "Tarvainen Sirpa, Jollas Instituutti" <sirpa . tarvainen @ sok . fi>
Google
 
Search Internet Search www.greatcircle.com