draft-ietf-mpls-in-ip-or-gre-06.txt   draft-ietf-mpls-in-ip-or-gre-07.txt 
skipping to change at page 1, line 16 skipping to change at page 1, line 16
Yakov Rekhter Yakov Rekhter
Juniper Networks, Inc. Juniper Networks, Inc.
Eric C. Rosen, editor Eric C. Rosen, editor
Cisco Systems, Inc. Cisco Systems, Inc.
March 2004 March 2004
Encapsulating MPLS in IP or Generic Routing Encapsulation (GRE) Encapsulating MPLS in IP or Generic Routing Encapsulation (GRE)
draft-ietf-mpls-in-ip-or-gre-06.txt draft-ietf-mpls-in-ip-or-gre-07.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts. groups may also distribute working documents as Internet-Drafts.
skipping to change at page 11, line 28 skipping to change at page 11, line 28
8.2. In the Absence of IPsec 8.2. In the Absence of IPsec
If the tunnels are not secured using IPsec, then some other method If the tunnels are not secured using IPsec, then some other method
should be used to ensure that packets are decapsulated and forwarded should be used to ensure that packets are decapsulated and forwarded
by the tunnel tail only if those packets were encapsulated by the by the tunnel tail only if those packets were encapsulated by the
tunnel head. If the tunnel lies entirely within a single tunnel head. If the tunnel lies entirely within a single
administrative domain, address filtering at the boundaries can be administrative domain, address filtering at the boundaries can be
used to ensure that no packet with the IP source address of a tunnel used to ensure that no packet with the IP source address of a tunnel
endpoint or with the IP destination address of a tunnel endpoint can endpoint or with the IP destination address of a tunnel endpoint can
the domain from outside. enter the domain from outside.
However, when the tunnel head and the tunnel tail are not in the same However, when the tunnel head and the tunnel tail are not in the same
administrative domain, this may become difficult, and filtering based administrative domain, this may become difficult, and filtering based
on the destination address can even become impossible if the packets on the destination address can even become impossible if the packets
must traverse the public Internet. must traverse the public Internet.
Sometimes only source address filtering (but not destination address Sometimes only source address filtering (but not destination address
filtering) is done at the boundaries of an administrative domain. If filtering) is done at the boundaries of an administrative domain. If
this is the case, the filtering does not provide effective protection this is the case, the filtering does not provide effective protection
at all unless the decapsulator of an MPLS-in-IP or MPLS-in-GRE at all unless the decapsulator of an MPLS-in-IP or MPLS-in-GRE
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/