Re: PPP over IPSec (without L2TP)?

David Chen <dchen@indusriver.com> Tue, 19 October 1999 18:34 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id LAA03836; Tue, 19 Oct 1999 11:34:43 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA21823 Tue, 19 Oct 1999 12:58:21 -0400 (EDT)
Message-Id: <4.2.0.58.19991019130241.00a59f00@pop3.indusriver.com>
X-Sender: dchen@pop3.indusriver.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
Date: Tue, 19 Oct 1999 13:05:14 -0400
To: Ari Huttunen <Ari.Huttunen@datafellows.com>
From: David Chen <dchen@indusriver.com>
Subject: Re: PPP over IPSec (without L2TP)?
Cc: ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
In-Reply-To: <380C973C.FD1B3036@DataFellows.com>
References: <4.2.0.58.19991019095359.00a905c0@pop3.indusriver.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="=====================_431373011==_.ALT"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

At 07:07 PM 10/19/99 +0300, you wrote:


>David Chen wrote:
>
> > At 12:02 PM 10/14/99 +0300, you wrote:
> > >Microsoft's position regarding L2TP is according to
> > >http://www.microsoft.com/windows/server/Technical/networking/NWPriv.asp
> > >(partly) the following:
> > >
> > >L2TP is a well-defined, interoperable protocol that addresses the current
> > >shortcomings of IPSec-only client-to-gateway and gateway-to-gateway
> > >scenarios (user authentication, tunnel IP address assignment, and
> > >multiprotocol support). L2TP has broad vendor support, particularly among
> > >the largest network access equipment providers, and has verified
> > >interoperability. By placing L2TP as payload within an IPSec packet,
> > >communications benefit from the standards-based encryption and 
> authenticity of
> > >IPSec, while also receiving a highly interoperable way to accomplish user
> > >authentication, tunnel address assignment, multiprotocol support, and
> > >multicast support using PPP. This combination is commonly referred to as
> > >L2TP/IPSec. Lacking a better pure IPSec standards solution, Microsoft
> > >believes that L2TP/IPSec provides the best standards based solution for
> > >multi-vendor, interoperable client-to-gateway VPN scenarios. Microsoft is
> > >working closely with key networking vendors including Cisco, 3Com,
> > >Lucent and IBM, to support this important combination.
> > >
> > >I agree that having PPP gives us the stated benefits (and more?). However,
> > >I fail to see why there
> > >is a need to have an L2TP (and UDP) layer(s) between PPP and IPSec. As I
> > >understand
> > >L2TP, it would give us two benefits a) being able to tunnel PPP over
> > >several links, which
> > >IPSec already gives us, and b) being able to specify telephone world
> > >things like calling /
> > >called numbers and call failures due to a busy tone, which in a general IP
> > >world are non-relevant.
> > >
> > >I agree that a lot of Internet connectivity is through a telephone
> > >network, but the calling numbers
> > >should not be relied on for any sort of identification, despite what the
> > >telephone world people
> > >would like to convince people to believe. The only valid usage for
> > >telephone numbers that
> > >I see is call charging, but the ISPs are free to use L2TP for that purpose
> > >without there being
> > >any need for IPSec security gateways or IPSec hosts knowing or even caring
> > >about it.
> > >
> > >So, please show me what benefits PPP over L2TP over IPSec provides when
> > >compared
> > >to just running PPP over IPSec? If there are some, which is possible,
> > >wouldn't it be
> > >better to enhance IPSec protocol(s) to enable the same, instead of having
> > >L2TP?

It is better, if IPSec has all PPP features.
Why bother with L2TP? If you like to "enhance IPSec protocol(s)"
--- David


> > The last sentence is ????
> > If you like to improve IPSec, why bother L2TP?
> > Just put all PPP features into IPSec.  :-)
> > This is not a good logic.
> > --- David
>
>Pardon? I fail to parse that.. What do you mean?
>
>Ari
>
>
> >
> >
> > >--
> > >Ari Huttunen                   phone: +358 9 859 900
> > >Senior Software Engineer       fax  : +358 9 8599 0452
> > >
> > >Data Fellows Corporation       http://www.DataFellows.com
> > >
> > >F-Secure products: Integrated Solutions for Enterprise Security
>
>--
>Ari Huttunen                   phone: +358 9 859 900
>Senior Software Engineer       fax  : +358 9 8599 0452
>
>Data Fellows Corporation       http://www.DataFellows.com
>
>F-Secure products: Integrated Solutions for Enterprise Security