[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bridging non-IP traffic over IPSec
John Shriver wrote:
>
> Let's not be distracted bashing the "security" problems of PPTP. Yes,
> without IPSec, it's a joke security wise. But nobody is even going to
> know if it even _IS_ PPTP if it's inside ESP.
>
> This discussion is about how to tunnel non-IP traffic over IPSec (see
> the subject), not bashing Microsoft.
I don't think anyone meant to get off on a m$-bashing track. The
original comment I made was meant to counter the notion that pptp would
be the defacto standard. The fact that it is not a standard (and not on
any sort of standard track) should be enough to persuade one that it is
not bound for defacto-standard-hood.
> While PPTP is not a well-loved protocol for many reasons, for the
> purposes of this discussion it's semantically (if not
> standards-track-ly) equivalent to L2TP.
While you could probably conjure up an argument regarding functional
equivalence, pptp is *not* equivalent to l2tp in terms of standards.
L2tp is on the standards track, and is far superior to pptp.
The real question, the one we're actually concerned with here, is this:
We have a need to tunnel non-IP traffic between private networks using
the public internet; should we use pptp, l2tp, gre, or some other
mechanism to accomplish this? I submit that pptp is not really an
alternative, given the reasons above. I suggested earlier that l2tp
might be overkill for this application, given all the overhead that goes
with it, and wondered if we shouldn't be reviving GRE for this
application. There are probably good arguments for both points of view
(l2tp vs gre), and there may even be a third or fourth alternative which
makes more sense. This should be the thrust of our discussion.
Follow-Ups:
References: