Re: PPP over IPSec (without L2TP)?
Ari Huttunen <Ari.Huttunen@datafellows.com> Fri, 15 October 1999 12:46 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id FAA26999; Fri, 15 Oct 1999 05:46:27 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id GAA03426 Fri, 15 Oct 1999 06:52:16 -0400 (EDT)
Message-ID: <38070829.4F7AC3CA@DataFellows.com>
Date: Fri, 15 Oct 1999 13:55:37 +0300
From: Ari Huttunen <Ari.Huttunen@datafellows.com>
Organization: Data Fellows Oyj
X-Mailer: Mozilla 4.51 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: aboba@internaut.com
CC: 'Stephen Kent' <kent@bbn.com>, 'Jim Tiller' <tiller_j@ins.com>, ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
Subject: Re: PPP over IPSec (without L2TP)?
References: <00fe01bf16a0$f4ff1740$478939cc@internaut.com>
Content-Type: multipart/alternative; boundary="------------ABACCCAA473B289361B1F6DC"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Bernard Aboba wrote: > In L2TP it is perfectly possible to apply > filters to achieve the same level of security. In fact, if > anything the argument went the other way -- because L2TP > does user authentication, when run over IPSEC its security > is stronger than that of IPSEC tunnel mode implementations > that only do machine authentication and therefore have no > idea who the user is. Excuse me? I'm not an expert on L2TP, but I believe that's not entirely correct. Let me quote RFC-2661. > 9.1 Tunnel Endpoint Security > > The tunnel endpoints may optionally perform an authentication > procedure of one another during tunnel establishment. This > authentication has the same security attributes as CHAP, and has > reasonable protection against replay and snooping during the tunnel > establishment process. This mechanism is not designed to provide any > authentication beyond tunnel establishment; it is fairly simple for a > malicious user who can snoop the tunnel stream to inject packets once > an authenticated tunnel establishment has been completed > successfully. > > For authentication to occur, the LAC and LNS MUST share a single > secret. Each side uses this same secret when acting as authenticatee > as well as authenticator. Since a single secret is used, the tunnel > authentication AVPs include differentiating values in the CHAP ID > fields for each message digest calculation to guard against replay > attacks. > I believe L2TP only authenticates the machines, while it's PPP that authenticates the users. There was also some talk about filtering of packets. As you see below, RFC-2661 wishes to put the filtering above its layer, to the PPP layer. Achieving this should be easier in practice if you have less protocol layers between IPSec and PPP. > 9.4 L2TP and IPsec > > ...snip... > > IPsec also defines access control features that are required of a > compliant IPsec implementation. These features allow filtering of > packets based upon network and transport layer characteristics such > as IP address, ports, etc. In the L2TP tunneling model, analogous > filtering is logically performed at the PPP layer or network layer > above L2TP. These network layer access control features may be > handled at the LNS via vendor-specific authorization features based > upon the authenticated PPP user, or at the network layer itself by > using IPsec transport mode end-to-end between the communicating > hosts. The requirements for access control mechanisms are not a part > of the L2TP specification and as such are outside the scope of this > document. > As to the re-ordering of packets by IPSec.. IPSec already does sequence numbers. It shouldn't be too difficult to define a new IPSec SA attribute negotiable by IKE that says "sequenced delivery of packets required". The recieving IPSec implementation would perhaps try to re-order packets during a few milliseconds or whatever, and drop packets that come after that. -- Ari Huttunen phone: +358 9 859 900 Senior Software Engineer fax : +358 9 8599 0452 Data Fellows Corporation http://www.DataFellows.com F-Secure products: Integrated Solutions for Enterprise Security
- PPP over IPSec (without L2TP)? Ari Huttunen
- RE: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Shriver, John
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[6]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[4]: PPP over IPSec (without L2TP)? Jim Tiller
- RE: Re[4]: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Bernard Aboba
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re: PPP over IPSec (without L2TP)? Paul Koning
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen