[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: l2tp as ipsra solution

To: "Moshe Litvin" <moshe@xxxxxxxxxxxxxx>, "'Sara Bitan'" <sarab@xxxxxxxxxxxx>, "'IPSRA list'" <ietf-ipsra@xxxxxxxx>
Subject: RE: l2tp as ipsra solution
From: "Glen Zorn" <gwz@xxxxxxxxx>
Date: Wed, 14 Jun 2000 15:27:53 -0700
Cc: "Glen Zorn" <gwz@xxxxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Reply-to: <gwz@xxxxxxxxx>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

Moshe Litvin [mailto://moshe@xxxxxxxxxxxxxx] writes:

> > L2TP people essentially say - PPP delivers good remote access (and has
> > been doing this for years), while IPsec delivers good security - let's
> > combine both protocols to provide secure remote access.
>
> We should be more specific about what PPP delivers:

Good idea.

>
> 1. Tunneling

No.  PPP does not provide tunneling.  If you're going to be specific, please
try to be accurate as well.

> 2. End point configuration (giving IP for the endpoint, etc.)
> 3. Legacy authentication.

And PK (with EAP).

> 4. Other - I am not a PPP expert so I can't really say what are all the
> services that PPP can offer. I am sure that other could contribute.
>
> As for tunneling, IPsec tunnel mode is more efficient than L2TP+IPsec
> transport mode. I don't think that tunneling  non-IP protocols is in the
> scope of this working group, so the ability of L2TP to tunnel non-IP
> protocol is irrelevant.

So "remote access" is defined narrowly as "remote access to IP-based
networks"?

>
> As for legacy authentication, it was already noted that
> authenticated IPsec
> keys must exist before the PPP authentication. Some have
> suggested the idea
> of machine keys used to authenticate IKE exchanges, and then a
> separate step
> of authenticating the user. The main benefit of this separation is that we
> can easily solve this problem. But the general case there is no separation
> between machine and human credentials.

So "remote access to IP-based networks" does not include e.g. a dial on
demand connection from a router on a home office network to a central office
network?

>
> A different solution to this problem is to use the hybrid mode to create
> one-way authentication to the IPsec keys, and then use PPP authentication.
> This solution is forbidden according to the charter, but if we
> don't want to
> use it (or something similar) the PPP authentication abilities
> are useless.

I see. So "User authentication" is useless?  Why are we talking, then?

>
> So when I look at the list (which is not complete), I see that the only
> service we need from PPP is the configuration. If (and only if) the
> workgroup decide to adopt something similar to hybrid, we can also use the
> legacy authentication of PPP. On the other hand the tunneling property of
> PPP is only an obstacle. If this is so, then we can use PPP only for the
> things that we need it for, that is:
>
> 1. Negotiate IPsec keys
> 2. Open a PPP connection over IP, protected by IPsec to get the
> configuration information (and perhaps to complete the authentication)
> 3. Close the PPP connection
> 4. Continue using tunnel mode IPsec.
>
> Moshe
>
>
>

Follow-Ups:
- RE: l2tp as ipsra solution
  - From: Moshe Litvin

References:
- RE: l2tp as ipsra solution
  - From: Moshe Litvin

Prev by Date: RE: l2tp as ipsra solution
Next by Date: Re: l2tp as ipsra solution
Previous by thread: Re: l2tp as ipsra solution
Next by thread: RE: l2tp as ipsra solution
Index(es):
- Date
- Thread