In L2TP it is perfectly possible to applyExcuse me? I'm not an expert on L2TP, but I believe that's not
filters to achieve the same level of security. In fact, if
anything the argument went the other way -- because L2TP
does user authentication, when run over IPSEC its security
is stronger than that of IPSEC tunnel mode implementations
that only do machine authentication and therefore have no
idea who the user is.
9.1 Tunnel Endpoint SecurityI believe L2TP only authenticates the machines, while it's PPP that authenticates
The tunnel endpoints may optionally perform an authentication
procedure of one another during tunnel establishment. This
authentication has the same security attributes as CHAP, and has
reasonable protection against replay and snooping during the tunnel
establishment process. This mechanism is not designed to provide any
authentication beyond tunnel establishment; it is fairly simple for a
malicious user who can snoop the tunnel stream to inject packets once
an authenticated tunnel establishment has been completed
For authentication to occur, the LAC and LNS MUST share a single
secret. Each side uses this same secret when acting as authenticatee
as well as authenticator. Since a single secret is used, the tunnel
authentication AVPs include differentiating values in the CHAP ID
fields for each message digest calculation to guard against replay
There was also some talk about filtering of packets. As you see below,
wishes to put the filtering above its layer, to the PPP layer. Achieving this
should be easier in practice if you have less protocol layers between IPSec and PPP.
9.4 L2TP and IPsec ...snip... IPsec also defines access control features that are required of a compliant IPsec implementation. These features allow filtering of packets based upon network and transport layer characteristics such as IP address, ports, etc. In the L2TP tunneling model, analogous filtering is logically performed at the PPP layer or network layer above L2TP. These network layer access control features may be handled at the LNS via vendor-specific authorization features based upon the authenticated PPP user, or at the network layer itself by using IPsec transport mode end-to-end between the communicating hosts. The requirements for access control mechanisms are not a part of the L2TP specification and as such are outside the scope of this document.
As to the re-ordering of packets by IPSec.. IPSec already does sequence numbers. It shouldn't
be too difficult to define a new IPSec SA attribute negotiable by IKE that says "sequenced
delivery of packets required". The recieving IPSec implementation would perhaps try to re-order
packets during a few milliseconds or whatever, and drop packets that come after that.
Ari Huttunen phone: +358 9 859 900
Senior Software Engineer fax : +358 9 8599 0452
Data Fellows Corporation http://www.DataFellows.com
F-Secure products: Integrated Solutions for Enterprise Security