[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: comments on VPN framework document

To: Bernard Aboba <aboba@internaut.com>
Subject: RE: comments on VPN framework document
From: Stephen Waters <Stephen.Waters@digital.com>
Date: Mon, 12 Oct 1998 20:01:08 +0100
Cc: ipsec@tis.com, l2tp@zendo.com
Sender: owner-ipsec@ex.tis.com


> >'IPSEC-tunnel' is that it is not a 
> >tunnel at all, really - just a
> >security encapsulation scheme. 
> 
> By my definition, a tunnel exists whenever you
> encapsulate one packet within another packet.
> By that scheme an IPSEC/IP tunnel is as much a
> tunnel as an IPSEC/L2TP tunnel. 
> 

I was comparing the IPSEC-tunnel (as defined in the IPSEC architecture) with
other IP tunneling recommendations - all of which have much more too them
than
just encapsulating the original packet with an IP header.


> >If you encrypt the original IP header, 
> >what alternative have you got but to 
> >add another one.
> 
> The same comment could be made about an
> L2TP packet, which is encrypted when contained
> in IPSEC/L2TP. 

Again - I was making the point the adding an IP header is ALL the 
IPSEC tunnel is, nothing more.

> 
> >With IPSEC, there is no mechanism to define 
> >an 'Virtual IP interface' that can be managed 
> >as any other IP interface - routing/cost/filtering/.... 
> >
> This is indeed a feature of your implementation.
> There is no intrinic reason why an IPSEC/IP
> tunnel cannot be treated as a virtual interface.
> IP-IP tunnels (for DVMRP, for example) have
> commonly been treated as virtual interfaces.
> 
There may be no reason why IPSEC/IP can't be treated as a virtual interface,
but that is not the model defined in the IPSEC architecture where everything
is 
driven from a security policy databases that are applied to data ON an
interface,
and a policy within a given SPD calling for tunnel-mode protection does not
constitute an interface or anything that is managable as such.

> 
> >In the meantime, I'm thinking that 
> >L2TP+Transport-mode-IPSEC is as close as
> >we can get today.
> >
> 
> It is true that implementations of 
> IPSEC/L2TP are often more 
> advanced than IPSEC/IP 
> implementations.
> 
> However, let's not confuse details
> of implementations with discussions
> of the protocol differences. 
> If we are attempting to discuss 
> differences, we should focus
> on the ways in which IPSEC/IP and
> IPSEC/L2TP are different, namely
> the differences between IP and 
> L2TP. There are no substantative
> security differences between 
> IPSEC/IP and IPSEC/L2TP since
> both use IPSEC for security.
> 

Let's hope so.  
Steve.


> 
> 
>

Follow-Ups:

RE: comments on VPN framework document

From: Stephen Kent <kent@bbn.com>

Re: comments on VPN framework document

From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

Prev by Date: RE: comments on VPN framework document
Next by Date: Re: comments on VPN framework document
Prev by thread: Re: comments on VPN framework document
Next by thread: RE: comments on VPN framework document
Index(es):
- Main
- Thread