From owner-freebsd-hackers  Sat Mar 13 12:39:26 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from wall.polstra.com (rtrwan160.accessone.com [206.213.115.74])
	by hub.freebsd.org (Postfix) with ESMTP id 7E0A414D4A
	for <hackers@freebsd.org>; Sat, 13 Mar 1999 12:39:24 -0800 (PST)
	(envelope-from jdp@polstra.com)
Received: from vashon.polstra.com (vashon.polstra.com [206.213.73.13])
	by wall.polstra.com (8.9.1/8.9.1) with ESMTP id MAA00330;
	Sat, 13 Mar 1999 12:39:05 -0800 (PST)
	(envelope-from jdp@polstra.com)
From: John Polstra <jdp@polstra.com>
Received: (from jdp@localhost)
	by vashon.polstra.com (8.9.2/8.9.1) id MAA65042;
	Sat, 13 Mar 1999 12:39:01 -0800 (PST)
	(envelope-from jdp@polstra.com)
Date: Sat, 13 Mar 1999 12:39:01 -0800 (PST)
Message-Id: <199903132039.MAA65042@vashon.polstra.com>
To: ck@adsu.bellsouth.com
Subject: Re: Will IPFW pass GRE packets?
In-Reply-To: <002c01be6d13$0cdc8f60$7aad98cd@oreo.adsu.bellsouth.com>
Organization: Polstra & Co., Seattle, WA
Cc: hackers@freebsd.org
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In article <002c01be6d13$0cdc8f60$7aad98cd@oreo.adsu.bellsouth.com>,
Christian Kuhtz <ck@adsu.bellsouth.com> wrote:
> > GRE is some windows NT thing?  If it is, someone has already figured this
> > out for you, the lists have it.
> 
> GRE stands for "Generic Route Encapsulation" and is an IETF standard as
> defined by RFC1701 (http://www.adsu.bellsouth.com/pub/ietf/rfc/rfc1701 and
> RFC1702).  It is used to tunnel all sorts of things across IPv4 networks,
> including IPv4 itself.  It has jack squat to do with NT.

Not quite true.  Like a dog who must piss on every bush, Microsoft
couldn't endure the thought of following existing standards.  So they
invented an "enhanced GRE header" for their PPTP tunneling.  See
"draft-ietf-pppext-pptp-01.txt" from your favorite Internet Drafts
repository.

It gets even better.  They explicitly specify that checksums must be
disabled in the GRE encapsulation.  And the PPP packets contained
therein are stripped of all link-level headers.  Thus, as far as I can
tell, there is zero, zilch, nada error detection of any kind on the
encapsulated PPP packets (i.e., your valuable data).  Tcpdump confirms
this.

John
-- 
  John Polstra                                               jdp@polstra.com
  John D. Polstra & Co., Inc.                        Seattle, Washington USA
  "Self-interest is the aphrodisiac of belief."           -- James V. DeLong


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message