Re: ISAKMP performance

["C. Harald Koch" <chk@utcc.utoronto.ca>]

> 
> It's not clear what doing a secure tunnel from the NAS to the firewall
> buys me as an end user, as I can't trust the phone network to be
> secure.

IPsec + IP Mobility only works for IP.  The Internet doesn't carry WFW, or
IPX, or AppleTalk on the backbone. To get around this, people are trying to
create PPP connections directly from a client machine to a "home server",
using PPTP, or L2F, or L2TP (all various forms of "get the PPP frames across
the Internet" protocols, the third of which is an IETF WG). Note that the
mandate is to do this *without* requiring changes on the client; i.e. it
speaks 'standard' PPP with the NAS, and everything else is "magic".

In order to gain approximately the same level of security one has in a
direct connect with a tunnel over the Internet, one needs strong security
between the NAS and the "home server".  The L2TP group wants to mandate
IPSEC for this purpose. Hence the ISAKMP performance discussion.

Note that L2TP is not just a PPP over the Internet technology; it's designed
to run over other "network" media, like Frame and ATM. IPsec is only being
considered for L2TP over IP at this time.

I am neither for nor against this technology. I recognize that it is an
expedient solution to the problem of roaming users, VPNs, and non-IP
protocols, but I'm not convinced that is is either the only or the best
solution. Heck, with the proliferation of "Internet on the desktop" it may
become entirely moot in a couple of years...

-- 
Harald Koch <chk@utcc.utoronto.ca>

---

References:

• Re: Re[6]: ISAKMP performance
• From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

---

• Prev by Date: Re: Re[6]: ISAKMP performance
• Next by Date: draft-ietf-ipsec-ciph-3des-expiv-00.txt
• Prev by thread: Re: Re[6]: ISAKMP performance
• Next by thread: Re: Re[6]: ISAKMP performance
• Index(es):
  • Main
  • Thread