Re: [squid-users] squid wccp & linux 2.4 GRE tunnel from Joe Cooper on 2002-01-06 (squid-users)

From: Joe Cooper <joe@dont-contact.us>
Date: Mon, 07 Jan 2002 00:01:58 -0600

Henrik Nordstrom wrote:

> On Sunday 06 January 2002 14.28, Joe Cooper wrote:
>
>>The ip_gre module that comes with Linux is broken, and does not
>>accept WCCP GRE packets. It must be patched to support WCCP
>>packets.
>>
>
> To say that the Linux module is broken is a bit harsh. The standard Linux
> GRE module simply does not implement the WCCP GRE protocol type.
>
> If Cisco would have used the standard IP GRE protocol type then the Linux
> module (or mostly any standard GRE endpoint) should have been capable of
> receiving the WCCP tunnel, but as Cisco for soem reason decided to use a
> new GRE protocol type for WCCP encapsulated frames then specific support
> at the endpoint is required even if the format used happens to be
> identical to that of the standard encapsulated IP GRE format except for
> the protocol number...

Perhaps it could be viewed this way. I think of it in terms of GRE
being a well-known and documented protocol, and the WCCP identity number
is also well-known and documented...seems broken or at least ornery not
to support it.

I think the reason Cisco chose a different number is that one may wish
to implemenet packet filters based on the type of GRE. There are a
number of legitimate uses for GRE tunnels across WAN links, but fewer
reasons to have a WCCP GRE tunnel over a WAN (DoS or man in the middle
exploits come to mind). Just a thought. And of course there are other
ways and means of achieving defense against such problems. But I
believe Cisco made a pretty reasonable choice to use a different
identifier for WCCP GRE packets, and it is at the very least a lacking
of the Linux ip_gre module that it doesn't support it by default. Been
meaning to track down the maintainer and send them a patch to add it.

>>I don't have links handy for the patch required, but if you'll
>>contact me off-list I can send it to you.
>>
>
> There is a Linux patch linked from Squid FAQ WCCP entry. Is this perhaps
> the one you are referring to?

Roughly. When I switched to kernel 2.4, however, I had to create a new
patch, as the old required manual patching. It is a very simple patch
and easy to apply manually, but not automatic for 2.4 kernels. As soon
as I dig up my 2.4 patch (it's probably buried in an SRPM), I'll post it
somewhere on my patches page.

-- 
Joe Cooper <joe@swelltech.com>
http://www.swelltech.com
Web Caching Appliances and Support

Received on Sun Jan 06 2002 - 23:00:51 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:39 MST