[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPSEC in non-IP networks?
I'd like to know if anyone on this list (I know there are at least some)
has considered using IPSEC as a security method for non IP networks?
The reason I ask is because draft-ietf-l2tp-security-00.txt specifies a
method for using IPSEC to secure L2TP traffic on non-IP networks in a
way which I believe is non-extensible. I believe this non-extensibility
is an issue which would be of concern in the IPSEC area.
The proposal is to use UDP (ISAKMP) and ESP encapsulated directly over a
non-IP medium. This would probably work fine, except the draft proposes
using 0 (zero) in the next-protocol field of the ESP header to indicate
L2TP next (since L2TP does not yet have a protocol number). Even though
the ESP header will not be preceded by an IP header, this should not
change the rules for the values and their meanings of what can be found
in the next-proto field of the ESP header.
I received no response on this point on the L2TP list (including when I
re-sent the inquiry), and I have no indication that this was just put in
the draft as a placeholder until L2TP receives a protocol number. I
hope to resolve the issue without cross-pollinating the L2TP and IPSEC
lists.
I believe that if IPSEC should be used to secure L2TP payload on non-IP
networks, then it should follow an extensible specification that the
IPSEC crowd agrees with -- whether it is similar to the approach of
draft-ietf-l2tp-security-00.txt or not.
Comments please.
The best way to do this conversation may be to keep it on this list, and
I will summarize the conversation to the L2TP list when it converges.
A will send a copy of this email to the L2TP list as well, so people
there are aware of the conversation over here, and can follow it on
their own as they wish.
Richard Shea
Senior Software Engineer
New Oak Communications