Re: PPP over IPSec (without L2TP)?

David Chen <dchen@indusriver.com> Wed, 20 October 1999 18:58 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id LAA16126; Wed, 20 Oct 1999 11:58:31 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id NAA28413 Wed, 20 Oct 1999 13:06:21 -0400 (EDT)
Message-Id: <4.2.0.58.19991020130425.00a8d290@pop3.indusriver.com>
X-Sender: dchen@pop3.indusriver.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
Date: Wed, 20 Oct 1999 13:12:33 -0400
To: Ari Huttunen <Ari.Huttunen@datafellows.com>
From: David Chen <dchen@indusriver.com>
Subject: Re: PPP over IPSec (without L2TP)?
Cc: ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
In-Reply-To: <38059C2D.F56BA62A@DataFellows.com>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="=====================_71818850==_.ALT"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Mr. Huttunen,
Your wrote with following header and content (after the "===" mark):

The question I have is in your last sentence.
" If there are some, which is possible, wouldn't it be
better to enhance IPSec protocol(s) to enable the same, instead of having 
L2TP?"

Does it sound like you want to "enhance IPSec protocol"?

Regards,

--- David

BTW.  I cc to the same cc you did.

===========================================================

Date: Thu, 14 Oct 1999 12:02:37 +0300
From: Ari Huttunen <Ari.Huttunen@DataFellows.com>
Organization: Data Fellows Oyj
X-Mailer: Mozilla 4.51 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
Subject: PPP over IPSec (without L2TP)?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

At 12:02 PM 10/14/99 +0300, you wrote:
>Microsoft's position regarding L2TP is according to 
>http://www.microsoft.com/windows/server/Technical/networking/NWPriv.asp
>(partly) the following:
>
>L2TP is a well-defined, interoperable protocol that addresses the current 
>shortcomings of IPSec-only client-to-gateway and gateway-to-gateway 
>scenarios (user authentication, tunnel IP address assignment, and 
>multiprotocol support). L2TP has broad vendor support, particularly among 
>the largest network access equipment providers, and has verified 
>interoperability. By placing L2TP as payload within an IPSec packet, 
>communications benefit from the standards-based encryption and authenticity of
>IPSec, while also receiving a highly interoperable way to accomplish user 
>authentication, tunnel address assignment, multiprotocol support, and 
>multicast support using PPP. This combination is commonly referred to as 
>L2TP/IPSec. Lacking a better pure IPSec standards solution, Microsoft 
>believes that L2TP/IPSec provides the best standards based solution for 
>multi-vendor, interoperable client-to-gateway VPN scenarios. Microsoft is 
>working closely with key networking vendors including Cisco, 3Com,
>Lucent and IBM, to support this important combination.
>
>I agree that having PPP gives us the stated benefits (and more?). However, 
>I fail to see why there
>is a need to have an L2TP (and UDP) layer(s) between PPP and IPSec. As I 
>understand
>L2TP, it would give us two benefits a) being able to tunnel PPP over 
>several links, which
>IPSec already gives us, and b) being able to specify telephone world 
>things like calling /
>called numbers and call failures due to a busy tone, which in a general IP 
>world are non-relevant.
>
>I agree that a lot of Internet connectivity is through a telephone 
>network, but the calling numbers
>should not be relied on for any sort of identification, despite what the 
>telephone world people
>would like to convince people to believe. The only valid usage for 
>telephone numbers that
>I see is call charging, but the ISPs are free to use L2TP for that purpose 
>without there being
>any need for IPSec security gateways or IPSec hosts knowing or even caring 
>about it.
>
>So, please show me what benefits PPP over L2TP over IPSec provides when 
>compared
>to just running PPP over IPSec? If there are some, which is possible, 
>wouldn't it be
>better to enhance IPSec protocol(s) to enable the same, instead of having 
>L2TP?
>
>--
>Ari Huttunen                   phone: +358 9 859 900
>Senior Software Engineer       fax  : +358 9 8599 0452
>
>Data Fellows Corporation       http://www.DataFellows.com
>
>F-Secure products: Integrated Solutions for Enterprise Security