Re: PPP over IPSec (without L2TP)?

Paul Koning <pkoning@xedia.com> Mon, 18 October 1999 19:41 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id MAA02939; Mon, 18 Oct 1999 12:41:43 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA15703 Mon, 18 Oct 1999 11:20:37 -0400 (EDT)
Date: Mon, 18 Oct 1999 11:22:59 -0400
Message-Id: <199910181522.LAA08630@tonga.xedia.com>
From: Paul Koning <pkoning@xedia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: Ari.Huttunen@datafellows.com
Cc: ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
Subject: Re: PPP over IPSec (without L2TP)?
References: <00fe01bf16a0$f4ff1740$478939cc@internaut.com> <38070829.4F7AC3CA@DataFellows.com>
X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

>>>>> "Ari" == Ari Huttunen <Ari.Huttunen@datafellows.com> writes:

 Ari> ...
 Ari> As to the re-ordering of packets by IPSec.. IPSec already does
 Ari> sequence numbers. It shouldn't be too difficult to define a new
 Ari> IPSec SA attribute negotiable by IKE that says "sequenced
 Ari> delivery of packets required". The recieving IPSec
 Ari> implementation would perhaps try to re-order packets during a
 Ari> few milliseconds or whatever, and drop packets that come after
 Ari> that.

Yuck.

Sure, it would be easy enough to add such an attribute, but adding the 
actual mechanism is quite another matter.

Sequence protection doesn't belong in IP.  It hasn't been there for 30 
years, and it doesn't make sense to add it now.  I very much doubt
that you could get agreement to add such a thing as a mandatory
capability (certainly I'd object loudly) or even as a recommended
capability. 

	paul