Re: PPP over IPSec (without L2TP)?
Pyda Srisuresh <srisuresh@yahoo.com> Fri, 15 October 1999 00:57 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id RAA01138; Thu, 14 Oct 1999 17:57:58 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id TAA01638 Thu, 14 Oct 1999 19:26:09 -0400 (EDT)
Message-ID: <19991014234002.14486.rocketmail@web1401.mail.yahoo.com>
Date: Thu, 14 Oct 1999 16:40:02 -0700
From: Pyda Srisuresh <srisuresh@yahoo.com>
Subject: Re: PPP over IPSec (without L2TP)?
To: Ari Huttunen <Ari.Huttunen@datafellows.com>, ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Ari, You might want to take a look at <draft-ietf-pppext-secure-ra-00.txt>, titled "Secure Remote Access with L2TP". This takes a different tack from using IPsec to protect L2TP traffic between a LAC and an LNS. The draft essentially recommends using PPP over IPsec, while using L2TP to tunnel PPP packets over the internet. Such a scheme, I believe, is a beneficiary of the advantages of both L2TP and IPsec, while also providing end-to-end security using existing standards. regards, suresh --- Ari Huttunen <Ari.Huttunen@datafellows.com> wrote: > Microsoft's position regarding L2TP is according to > http://www.microsoft.com/windows/server/Technical/networking/NWPriv.asp > (partly) the following: > > L2TP is a well-defined, interoperable protocol that addresses the current > shortcomings of IPSec-only client-to-gateway and gateway-to-gateway scenarios > (user authentication, tunnel IP address assignment, and multiprotocol > support). L2TP has broad vendor support, particularly among the largest > network access equipment providers, and has verified interoperability. By > placing L2TP as payload within an IPSec packet, communications benefit from > the standards-based encryption and authenticity of > IPSec, while also receiving a highly interoperable way to accomplish user > authentication, tunnel address assignment, multiprotocol support, and > multicast support using PPP. This combination is commonly referred to as > L2TP/IPSec. Lacking a better pure IPSec standards solution, Microsoft > believes that L2TP/IPSec provides the best standards based solution for > multi-vendor, interoperable client-to-gateway VPN scenarios. Microsoft is > working closely with key networking vendors including Cisco, 3Com, > Lucent and IBM, to support this important combination. > > I agree that having PPP gives us the stated benefits (and more?). However, I > fail to see why there > is a need to have an L2TP (and UDP) layer(s) between PPP and IPSec. As I > understand > L2TP, it would give us two benefits a) being able to tunnel PPP over several > links, which > IPSec already gives us, and b) being able to specify telephone world things > like calling / > called numbers and call failures due to a busy tone, which in a general IP > world are non-relevant. > > I agree that a lot of Internet connectivity is through a telephone network, > but the calling numbers > should not be relied on for any sort of identification, despite what the > telephone world people > would like to convince people to believe. The only valid usage for telephone > numbers that > I see is call charging, but the ISPs are free to use L2TP for that purpose > without there being > any need for IPSec security gateways or IPSec hosts knowing or even caring > about it. > > So, please show me what benefits PPP over L2TP over IPSec provides when > compared > to just running PPP over IPSec? If there are some, which is possible, > wouldn't it be > better to enhance IPSec protocol(s) to enable the same, instead of having > L2TP? > > -- > Ari Huttunen phone: +358 9 859 900 > Senior Software Engineer fax : +358 9 8599 0452 > > Data Fellows Corporation http://www.DataFellows.com > > F-Secure products: Integrated Solutions for Enterprise Security > > > ===== __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com
- PPP over IPSec (without L2TP)? Ari Huttunen
- RE: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Shriver, John
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[6]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[4]: PPP over IPSec (without L2TP)? Jim Tiller
- RE: Re[4]: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Bernard Aboba
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re: PPP over IPSec (without L2TP)? Paul Koning
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen