Re: PPP over IPSec (without L2TP)?

Ari Huttunen <Ari.Huttunen@datafellows.com> Mon, 18 October 1999 20:10 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id NAA03415; Mon, 18 Oct 1999 13:10:04 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA15872 Mon, 18 Oct 1999 11:59:51 -0400 (EDT)
Message-ID: <380B44C1.F46C702F@DataFellows.com>
Date: Mon, 18 Oct 1999 19:03:13 +0300
From: Ari Huttunen <Ari.Huttunen@datafellows.com>
Organization: Data Fellows Oyj
X-Mailer: Mozilla 4.51 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Paul Koning <pkoning@xedia.com>
CC: ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
Subject: Re: PPP over IPSec (without L2TP)?
References: <00fe01bf16a0$f4ff1740$478939cc@internaut.com> <38070829.4F7AC3CA@DataFellows.com> <199910181522.LAA08630@tonga.xedia.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk


Paul Koning wrote:

> >>>>> "Ari" == Ari Huttunen <Ari.Huttunen@datafellows.com> writes:
>
>  Ari> ...
>  Ari> As to the re-ordering of packets by IPSec.. IPSec already does
>  Ari> sequence numbers. It shouldn't be too difficult to define a new
>  Ari> IPSec SA attribute negotiable by IKE that says "sequenced
>  Ari> delivery of packets required". The recieving IPSec
>  Ari> implementation would perhaps try to re-order packets during a
>  Ari> few milliseconds or whatever, and drop packets that come after
>  Ari> that.
>
> Yuck.
>
> Sure, it would be easy enough to add such an attribute, but adding the
> actual mechanism is quite another matter.
>
> Sequence protection doesn't belong in IP.  It hasn't been there for 30
> years, and it doesn't make sense to add it now.  I very much doubt
> that you could get agreement to add such a thing as a mandatory
> capability (certainly I'd object loudly) or even as a recommended
> capability.

Where's the beef? Using the same argumentation we'd never have,
for example, speech on top of IP, since "for more than 30 years
we've had speech on a telephone line.. etc."

Besides, IP is connectionless while IPSec in all its forms is
connection-oriented. (Not counting HIP.)

--
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

Data Fellows Corporation       http://www.DataFellows.com

F-Secure products: Integrated Solutions for Enterprise Security