[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: L2TP + IPSEC question

To: "'Stephen Waters'" <Stephen.Waters@digital.com>, "'l2tp@zendo.com'" <l2tp@zendo.com>, "'ipsec@tis.com'" <ipsec@tis.com>
Subject: RE: L2TP + IPSEC question
From: Roy Pereira <rpereira@TimeStep.com>
Date: Tue, 10 Feb 1998 14:30:55 -0500
Sender: owner-ipsec@ex.tis.com

That's a good point.  We looked at this dilemma a while back and went
with only IPSec tunneling.  L2TP is good for when you have other
protocols other than IP, but that doesn't happen too often anymore.

With IPSec tunnelling you can accomplish almost everything that the
layer 2 (L2F, PPTP, L2TP) protocols can and you have real security.


>-----Original Message-----
>From:	Stephen Waters [SMTP:Stephen.Waters@digital.com]
>Sent:	Tuesday, February 10, 1998 9:00 AM
>To:	l2tp@zendo.com; ipsec@tis.com
>Cc:	Stephen Waters
>Subject:	L2TP + IPSEC question
>
>
>Sorry if this subject has already been done-to-death:
>
>I've just been reading the draft on using IPSEC to defend L2TP.
>
>Of the two models proposed,  (compulsory and voluntarily), the
>'Voluntarily' options feels safer to me (from a security management
>point of view).
>
>So,  if my clients are IP-only,  why do I need IPSEC AND L2TP?  Why not
>just IPSEC tunnel?  
>
>Here are a few cases :
>
>
>1) PPP on client,  L2TP LAC at ISP POP:-    Unprotected L2TP exchange
>not secure, hence the draft.
>2) PPP on client,  L2TP LAC at ISP POP + IPSEC encapsulation:-    L2TP
>secure, but means sharing security information
>3) L2TP on Client :-   as for 1) and tunnel server address has to be
>known by the client, no longer available from the ISP
>4) L2TP on Client + IPSEC:-   secure, but why use L2TP when PPP in IPSEC
>would do, and for IP-Only, not even PPP. 
>5) IPSEC on Client:-    secure, but how can the tunnel server address be
>discovered?
>
>
>Option 5) seems to be the best answer for IP-Only and there seems to be
>a PPP in IPSEC option for other requirements.
>If there is a requirement for the  tunnel server address to be
>discovered by the client, no pre-configured,  then the ISPs could
>provide a PPP-based tunnel server address via PPP_IPCP.  The IPSEC code
>could then use DHCP to acquire the Intranet address if not static.
>
>If there any comments on this, can someone copy me directly - just
>joined the distribution lists.
>
>Thanks, Steve.
>
>
>

Prev by Date: Re: L2TP + IPSEC question
Next by Date: Discovery of tunnel server from ISP POP
Prev by thread: Re: L2TP + IPSEC question
Next by thread: Discovery of tunnel server from ISP POP
Index(es):
- Main
- Thread