[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Benefits of l2tp with ipsec?

Marcus Leech wrote:
> Maybe I'm just being naieve about how this would in fact be packed together,
>   but it seems to me that if you do an L2TP-based implementation you have
>   something like this:
>    IP over PPP over L2TP over IPSEC over IP
>    [Plus the IP over PPP that you have with your local ISP].

On a first read, it seemed like you are showing _three_ IP headers in each
L2TP/IPSEC packet. There are only two because L2TP is carried in transport


where [ULP] is some upper layer protocol such as TCP. A corresponding
IPSEC tunnel mode frame is:


> Purely from an efficiency in layering point of view, and a bits-consumed
>   point of view, this seems bad.

I agree, but there was discussion on the ipsec mailing list about L2TP
header compression. L2TPHC removes the UDP header and reduces the L2TP
header from about 8 bytes to 2 bytes. This makes an L2TP packet only
3 bytes longer than normal IPSEC tunnel mode packets:


Question (for L2TP folk): L2TPHC negotiates a IP protocol number
to indicate compressed L2TPHC payloads because there is _no_
UDP header. How does this protocol number interact with the IPSEC
SPD? Does each peer modify its SPD based on the negotiated protocol
number? The L2TP over IPSEC draft doesn't discuss L2TPHC and the
L2TPHC draft doesn't discuss IPSEC.

Finally, is it legal to define an IPSEC SPD descriptor that matches
a dynamically negotiated IP protocol number? It was my understanding
(from Steve Kent) that the _only_ legal protocol selections for a SPD
rule were TCP, UDP, and ICMP.

-Ben McCann

Ben McCann                              Indus River Networks
                                        31 Nagog Park
                                        Acton, MA, 01720
email: bmccann@xxxxxxxxxxxxxx           web: www.indusriver.com 
phone: (978) 266-8140                   fax: (978) 266-8111