Re: PPP over IPSec (without L2TP)?
"Scott G. Kelly" <skelly@redcreek.com> Thu, 14 October 1999 17:52 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id KAA24418; Thu, 14 Oct 1999 10:52:13 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA29495 Thu, 14 Oct 1999 12:08:26 -0400 (EDT)
Message-ID: <38060149.F2DCC128@redcreek.com>
Date: Thu, 14 Oct 1999 09:14:01 -0700
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
X-Mailer: Mozilla 4.61 [en] (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Ari Huttunen <Ari.Huttunen@datafellows.com>
CC: ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
Subject: Re: PPP over IPSec (without L2TP)?
References: <38059C2D.F56BA62A@DataFellows.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Ari Huttunen wrote: <substantially trimmed...> > I agree that having PPP gives us the stated benefits (and more?). However, I fail to see why there > is a need to have an L2TP (and UDP) layer(s) between PPP and IPSec. <more trimmed...> > So, please show me what benefits PPP over L2TP over IPSec provides when compared > to just running PPP over IPSec? If there are some, which is possible, wouldn't it be > better to enhance IPSec protocol(s) to enable the same, instead of having L2TP? I think that one strong argument for not running ppp directly over ipsec is that ppp is a layer 2 construct, and ipsec is designed to secure traffic at layer 3. Aside from the architectural repugnance, there are significant difficulties presented by encapsulation of PPP (and L2TP, for that matter) in IPsec. Many of these arise due to the fact that in order to apply policy to these packets, you must first understand what is in them, and all the security implications of the various content possibilities. Once you thoroughly understand the PPP (or L2TP) protocol in this light, then you can begin to design a security protocol which secures them. I think the bottom line is, that protocol would *not* be ipsec - it would be something else. This dances around a bigger problem which keeps recurring in different guises on this list: vpn and ipsec are not synonymous. I think that running L2TP over ipsec is essentially a hack which leverages ipsec for a vpn scenario. However, ipsec was not designed to provide security for the L2TP payload, so that if there is not an L2TP security subsystem which controls the encapsulation, then the payload is not truly secured - it is simply being tunneled, albeit reliably. Scott
- PPP over IPSec (without L2TP)? Ari Huttunen
- RE: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Shriver, John
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re[2]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[6]: PPP over IPSec (without L2TP)? Jim Tiller
- Re[4]: PPP over IPSec (without L2TP)? Jim Tiller
- RE: Re[4]: PPP over IPSec (without L2TP)? Shriver, John
- Re: PPP over IPSec (without L2TP)? Scott G. Kelly
- Re: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Bernard Aboba
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- RE: Re[2]: PPP over IPSec (without L2TP)? Pyda Srisuresh
- RE: Re[2]: PPP over IPSec (without L2TP)? Stephen Kent
- Re: PPP over IPSec (without L2TP)? Paul Koning
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen
- Re: PPP over IPSec (without L2TP)? Ari Huttunen
- Re: PPP over IPSec (without L2TP)? David Chen