Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

Why is Multicast not supported. S2S Ipsec VPN

I know that standard site to site ipsec vpns cannot run routing protocols over them but would like to know why the cannot, e.g what is the physical reason multicast cannot run over them? Is this due to the VPN being strictly peer to peer? This brings me to asking why, when using gre/ipsec tunnels multicast can run over it no problem. Is this due to the virtual interface?
3 REPLIES
VIP Purple

In principle, IPsec can also

In principle, IPsec can also transport multicast. The problem is more or less that the initial standards did not include much for multicast. Some quotes from relevant RFCs:

  • RFC 2401: Security Architecture for the Internet Protocol
    4.1 Definition and Scope
    In principle, the Destination Address may be a unicast address, an IP broadcast address, or a multicast group address.  However, IPsec SA management mechanisms currently are defined only for unicast SAs.  Hence, in the discussions that follow, SAs will be described in the context of point-to-point communication, even though the concept is applicable in the point-to-multipoint case as well.
  • RFC 5406: Guidelines for Specifying the Use of IPsec Version 2
    7. Broadcast and Multicast
    Although the designers of IPsec tried to leave room for protection of multicast traffic, a complete design wasn't finished until much later.  As such, many IPsec implementations do not support multicast.   [RFC5374] describes extensions to IPsec to support it.  Other relevant documents include [RFC3830], [RFC3547], and [RFC4535]. 
    Because of the delay, protocol designers who use multicast should consider the availability of these extensions in target platforms of interest.

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Bronze

So does the above correspond

So does the above correspond to the reason why routing protocols can't be run over them?
VIP Purple

At least it corresponds to

At least it corresponds to the early policy-based implementations with crypto-maps. And nowadays multicast is possible at least with VTIs which are route-based with an any to any encryption-domain.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
70
Views
0
Helpful
3
Replies