[ previous ] [ next ] [ threads ]
 
 From:  Phil Brutsche <phil at brutsche dot us>
 To:  Chris Liljenstolpe <cds at io dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Zebra and m0n0wall
 Date:  Wed, 12 May 2004 16:53:05 -0500
Chris Liljenstolpe wrote:

> Greetings,
> 
>     I have read through the mailing list and the discussions about dynamic
> routing on a firewall being a bad thing, and in that pure role, I agree,
> I don't want my firewall listening to route advertisments from untrusted
> sources.  However, this is also a VPN box, and in that role, it would be
> very usefull to have routes advertised through the VPN tunnels.  So how
> about Zebra, and then an option to bind it only to certain interfaces?

One problem: route advertisements do not play well with generic IPsec 
tunnels.  Cisco, for example, recommends that you implement a GRE tunnel 
(encrypted and/or authenticated with IPsec) if you need to send eg RIP 
or OSPF over the internet.

-- 

Phil Brutsche
phil at brutsche dot us