COM-407: IP tunnels - firewall kill when IP in IP packets

Hello,

This question is more about curiosity and not a top priority exam question (no problem if answered later). I was wondering: in slide 21 of ip2 slides, we are told that some firewalls kill the IP in IP packets. That's why we add a layer and put IP packet in UDP segment.

I'm not sure I understand the firewall config rationale behind the killing of IP in IP packets. If this is trivially solved by putting IP in UDP, why firewalls are happier this way?
Why is there the need for putting the L2TP/PPP header? It is said we must add a layer 2 protocol, but couldn't this one be added by the normal routing (frame read and replaced by routers from a subnet to another)?

Thanks!

Re: IP tunnels - firewall kill when IP in IP packets

by Jean-Yves Le Boudec - Thursday, 3 February 2022, 08:14

1. Some NATs and firewalls are configured to exclude any IP protocol that is not UDP or TCP, perhpas by excessive simplicity.
2. The layer 2 protocol is added to carry information that is used by older systems (such as Windows) which use the alternative Ethernet format.

Re: IP tunnels - firewall kill when IP in IP packets

by Tom Louis Demont - Thursday, 3 February 2022, 17:50

Much clearer thanks for the answer!