[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PPP over IPSec (without L2TP)?
You might want to take a look at <draft-ietf-pppext-secure-ra-00.txt>,
titled "Secure Remote Access with L2TP". This takes a different tack from
using IPsec to protect L2TP traffic between a LAC and an LNS.
The draft essentially recommends using PPP over IPsec, while using L2TP to
tunnel PPP packets over the internet. Such a scheme, I believe, is a
beneficiary of the advantages of both L2TP and IPsec, while also providing
end-to-end security using existing standards.
--- Ari Huttunen <Ari.Huttunen@datafellows.com> wrote:
> Microsoft's position regarding L2TP is according to
> (partly) the following:
> L2TP is a well-defined, interoperable protocol that addresses the current
> shortcomings of IPSec-only client-to-gateway and gateway-to-gateway scenarios
> (user authentication, tunnel IP address assignment, and multiprotocol
> support). L2TP has broad vendor support, particularly among the largest
> network access equipment providers, and has verified interoperability. By
> placing L2TP as payload within an IPSec packet, communications benefit from
> the standards-based encryption and authenticity of
> IPSec, while also receiving a highly interoperable way to accomplish user
> authentication, tunnel address assignment, multiprotocol support, and
> multicast support using PPP. This combination is commonly referred to as
> L2TP/IPSec. Lacking a better pure IPSec standards solution, Microsoft
> believes that L2TP/IPSec provides the best standards based solution for
> multi-vendor, interoperable client-to-gateway VPN scenarios. Microsoft is
> working closely with key networking vendors including Cisco, 3Com,
> Lucent and IBM, to support this important combination.
> I agree that having PPP gives us the stated benefits (and more?). However, I
> fail to see why there
> is a need to have an L2TP (and UDP) layer(s) between PPP and IPSec. As I
> L2TP, it would give us two benefits a) being able to tunnel PPP over several
> links, which
> IPSec already gives us, and b) being able to specify telephone world things
> like calling /
> called numbers and call failures due to a busy tone, which in a general IP
> world are non-relevant.
> I agree that a lot of Internet connectivity is through a telephone network,
> but the calling numbers
> should not be relied on for any sort of identification, despite what the
> telephone world people
> would like to convince people to believe. The only valid usage for telephone
> numbers that
> I see is call charging, but the ISPs are free to use L2TP for that purpose
> without there being
> any need for IPSec security gateways or IPSec hosts knowing or even caring
> about it.
> So, please show me what benefits PPP over L2TP over IPSec provides when
> to just running PPP over IPSec? If there are some, which is possible,
> wouldn't it be
> better to enhance IPSec protocol(s) to enable the same, instead of having
> Ari Huttunen phone: +358 9 859 900
> Senior Software Engineer fax : +358 9 8599 0452
> Data Fellows Corporation http://www.DataFellows.com
> F-Secure products: Integrated Solutions for Enterprise Security
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com