[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

L2TP + IPSEC question

To: l2tp@zendo.com, ipsec@tis.com
Subject: L2TP + IPSEC question
From: Stephen Waters <Stephen.Waters@digital.com>
Date: Tue, 10 Feb 1998 13:59:46 -0000
Cc: Stephen Waters <Stephen.Waters@digital.com>
Sender: owner-ipsec@ex.tis.com


Sorry if this subject has already been done-to-death:

I've just been reading the draft on using IPSEC to defend L2TP.

Of the two models proposed,  (compulsory and voluntarily), the
'Voluntarily' options feels safer to me (from a security management
point of view).

So,  if my clients are IP-only,  why do I need IPSEC AND L2TP?  Why not
just IPSEC tunnel?  

Here are a few cases :


1) PPP on client,  L2TP LAC at ISP POP:-    Unprotected L2TP exchange
not secure, hence the draft.
2) PPP on client,  L2TP LAC at ISP POP + IPSEC encapsulation:-    L2TP
secure, but means sharing security information
3) L2TP on Client :-   as for 1) and tunnel server address has to be
known by the client, no longer available from the ISP
4) L2TP on Client + IPSEC:-   secure, but why use L2TP when PPP in IPSEC
would do, and for IP-Only, not even PPP. 
5) IPSEC on Client:-    secure, but how can the tunnel server address be
discovered?


Option 5) seems to be the best answer for IP-Only and there seems to be
a PPP in IPSEC option for other requirements.
If there is a requirement for the  tunnel server address to be
discovered by the client, no pre-configured,  then the ISPs could
provide a PPP-based tunnel server address via PPP_IPCP.  The IPSEC code
could then use DHCP to acquire the Intranet address if not static.

If there any comments on this, can someone copy me directly - just
joined the distribution lists.

Thanks, Steve.

Prev by Date: Re: Unnecessarily bloated IV calculation
Next by Date: Re: Unnecessarily bloated IV calculation
Prev by thread: SPI in ESP+AH key derivations in Oakley Quick Mode
Next by thread: Re: L2TP + IPSEC question
Index(es):
- Main
- Thread