[c-nsp] "local policy" HW-switched on Sup720?

Brett Frankenberger rbf+cisco-nsp at panix.com
Sun Jan 8 21:52:43 EST 2006


On Mon, Jan 09, 2006 at 12:15:34AM +0100, Gert Doering wrote:
> Hi,
> 
> I have a setup with a GRE tunnel between two Cat7600 with Sup720s.
> 
> Normally, GRE is hardware-forwarded (as long as the tunnel endpoint IPs
> are unique on both ends).

As an aside, I've recently discovered that when doing hardware
forwarding, the switch doesn't validate that the source address in the
GRE packet matches the configured remote tunnel endpoint.

This is signifigant if you use RPF checks at your edges but not inside
your network to prevent the injection of forged packets.  If you've got
tunnels, a potential way for one of your customers to get
forged-source-address packets into the network would be to encapsulate
then in GRE, and send the GRE packet with a non-forged source address
to a tunnel endpoint.

With a software router, this fails, because the non-forged source
address on the GRE packet presumably doesn't match the remote tunnel
endpoint address, and will, thus, be discarded by the router receiving
the GRE packet.  However, on 65XX/76XX's that are doing GRE in
hardware, the source address on the GRE packet isn't checked and need
not match the configured address of the other end of the tunnel.

     -- Brett


More information about the cisco-nsp mailing list