| < draft-ietf-mpls-in-ip-or-gre-06.txt | draft-ietf-mpls-in-ip-or-gre-07.txt > | |||
|---|---|---|---|---|
| skipping to change at page 1, line 16 ¶ | skipping to change at page 1, line 16 ¶ | |||
| Yakov Rekhter | Yakov Rekhter | |||
| Juniper Networks, Inc. | Juniper Networks, Inc. | |||
| Eric C. Rosen, editor | Eric C. Rosen, editor | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| March 2004 | March 2004 | |||
| Encapsulating MPLS in IP or Generic Routing Encapsulation (GRE) | Encapsulating MPLS in IP or Generic Routing Encapsulation (GRE) | |||
| draft-ietf-mpls-in-ip-or-gre-06.txt | draft-ietf-mpls-in-ip-or-gre-07.txt | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||
| all provisions of Section 10 of RFC2026. | all provisions of Section 10 of RFC2026. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that other | Task Force (IETF), its areas, and its working groups. Note that other | |||
| groups may also distribute working documents as Internet-Drafts. | groups may also distribute working documents as Internet-Drafts. | |||
| skipping to change at page 11, line 28 ¶ | skipping to change at page 11, line 28 ¶ | |||
| 8.2. In the Absence of IPsec | 8.2. In the Absence of IPsec | |||
| If the tunnels are not secured using IPsec, then some other method | If the tunnels are not secured using IPsec, then some other method | |||
| should be used to ensure that packets are decapsulated and forwarded | should be used to ensure that packets are decapsulated and forwarded | |||
| by the tunnel tail only if those packets were encapsulated by the | by the tunnel tail only if those packets were encapsulated by the | |||
| tunnel head. If the tunnel lies entirely within a single | tunnel head. If the tunnel lies entirely within a single | |||
| administrative domain, address filtering at the boundaries can be | administrative domain, address filtering at the boundaries can be | |||
| used to ensure that no packet with the IP source address of a tunnel | used to ensure that no packet with the IP source address of a tunnel | |||
| endpoint or with the IP destination address of a tunnel endpoint can | endpoint or with the IP destination address of a tunnel endpoint can | |||
| the domain from outside. | enter the domain from outside. | |||
| However, when the tunnel head and the tunnel tail are not in the same | However, when the tunnel head and the tunnel tail are not in the same | |||
| administrative domain, this may become difficult, and filtering based | administrative domain, this may become difficult, and filtering based | |||
| on the destination address can even become impossible if the packets | on the destination address can even become impossible if the packets | |||
| must traverse the public Internet. | must traverse the public Internet. | |||
| Sometimes only source address filtering (but not destination address | Sometimes only source address filtering (but not destination address | |||
| filtering) is done at the boundaries of an administrative domain. If | filtering) is done at the boundaries of an administrative domain. If | |||
| this is the case, the filtering does not provide effective protection | this is the case, the filtering does not provide effective protection | |||
| at all unless the decapsulator of an MPLS-in-IP or MPLS-in-GRE | at all unless the decapsulator of an MPLS-in-IP or MPLS-in-GRE | |||
| End of changes. 2 change blocks. | ||||
| 2 lines changed or deleted | 2 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||