Re: [v6tc] Let the market decide or not: L2TP and/or TSP

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   L2TP:
	- Lack of a complete non authenticated mode.

=> this is not true but L2TP security is a bit complex. I'll try
to summarize it here for L2TP v2 over an IPv4 network:
 * the basic way to use L2TP is over UDP, i.e., with
   IPv4 - UDP - L2TP - PPP - IPv6 - etc
 * the highest security is provided by IPsec ESP in transport mode:
   IPv4 - ESP - UDP - L2TP - PPP - IPv6 - etc
 * as the previous solution kill the NAT traversal, it is possible to
   use IPsec in NAT traversal with L2TP directly over IP:
   IPv4 - UDP - ESP - L2TP - PPP - IPv6 - etc
 * without IPsec which can be too hard to use (no anonymous tunnel with it),
   L2TP can be protected using a shared secret (shared between the server
   and its clients) and a CHAP-like mechanism. The idea is to protect
   the L2TP control against unauthenticated access.
 * PPP itself can (should!) be protected using PAP, CHAP, ..., and
   things like MPPE. Perhaps not very good from the security point of
   view but easy to use and often already deployed.
 * last point: most L2TP servers can be configured in function of the
   client addresses so it is possible to use a fully unauthenticated
   L2TP in a closed (by anyway) network. BTW the IPsec solutions are
   a special case of this.

Regards

Francis.Dupont@enst-bretagne.fr

PS: in conclusion there is a complete non authenticated mode in L2TP
but as one should expect it must not be used in an open network...

_______________________________________________
v6tc mailing list
v6tc@ietf.org
https://www1.ietf.org/mailman/listinfo/v6tc