GRE, ESP, and OSPF: Why they have no port numbers
GRE, ESP, and OSPF are Layer 3 protocols that operate at the IP layer, not the transport layer. This fundamental difference means they use IP protocol numbers instead of TCP or UDP port numbers. Understanding this distinction is critical for writing correct access control lists, firewall rules, and security policies.
Ports exist only at Layer 4
Port numbers (0-65535) are a Layer 4 (transport layer) concept. They identify specific applications or services running over TCP or UDP. When you write an ACL rule to permit TCP port 443 or UDP port 53, you are filtering at the transport layer. The router or firewall must open the IP packet, read the TCP or UDP header, and examine the destination port field.
GRE, ESP, and OSPF do not use ports because they do not sit above TCP or UDP. They are protocols that exist at Layer 3 itself. Instead of ports, they are identified by their IP protocol number, a single byte field in the IP header that tells the receiving host which protocol to hand the packet to next.
Protocol numbers: the Layer 3 identifier
The IP header contains an 8-bit protocol field that identifies the next layer protocol. Common values include:
- →6 = TCP
- →17 = UDP
- →47 = GRE (Generic Routing Encapsulation)
- →50 = ESP (Encapsulating Security Payload)
- →89 = OSPF (Open Shortest Path First)
When a router receives a packet with protocol number 47, it knows that packet contains GRE data and routes it to the GRE handler. Protocol number 89 means OSPF routing information. Protocol number 50 means IPsec ESP encryption. No port number is involved or even present in these packets.
Implications for ACL configuration
When you need to permit or deny GRE, ESP, or OSPF traffic, you must reference the protocol number, not a port. The syntax varies by vendor, but the principle is the same.
On Cisco IOS, you use the protocol keyword or number directly in an extended ACL:
! Permit GRE traffic (protocol 47) access-list 101 permit gre 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255 ! Or using the numeric protocol number access-list 101 permit 47 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255 ! Permit OSPF (protocol 89) access-list 101 permit ospf any any ! Permit ESP (protocol 50) for IPsec access-list 101 permit 50 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
Notice that there is no port specification. You cannot write 'permit gre ... port 47' because that syntax is meaningless. The protocol number is part of the IP header, not a port in a transport layer header.
Firewall and security implications
Firewalls must inspect the IP protocol field to filter GRE, ESP, and OSPF. Stateless firewalls simply match the protocol number. Stateful firewalls may track GRE or ESP sessions, but they still identify the protocol by its IP protocol number, not by a port.
This also means you cannot use a port-based security tool to block GRE or ESP. A network access control list that only understands TCP and UDP ports will not filter these protocols. You need rules that operate at Layer 3.
When designing a security policy, remember that GRE tunnels, IPsec ESP encryption, and OSPF routing updates all bypass port-based filtering. They require explicit protocol-number-based rules.