[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: PPP over IPSec (without L2TP)?
Jim,
IPsec operates at layer 3, not 4, although we do cheat a bit.
When one runs L2TP over IPsec, one loose the ability to perform
fine-grained access control as part of IPsec, which is an important aspect
of the security provided by IPsec. This problem arises because an IPsec
receiver examines the "appropriate" IP header to make the access control
decision. However, when there is an intervening protocoll layer, e.g., L2TP
(or PPP) this check cannot be performed. Note that once the packet exits
the Ipsec procvessing, one cannot tie it to the SA via which it was
received, and thus any later access control checks are not nearly as
effective as what can be done within IPsec per se.
This has been a bone of contention between some of us in the IPsec WG and
the folks who produced the L2TP spec, calling for the use of IPsec with
L2TP. I fought over the wording of the text re the security benefits that
accrue when the two protocols are used together, but achieved only a
partial victory, i.e., I prevented the RFC from making grossly misleading
claims about security under these circumstances.
The bottom line is that L2TP impose no requirements on implementations to
offer the same sort of fine-grained access control that Ipsec mandates.
Moreover, once the binding of a packet to an SA is lost, it is impossible
to provide the same level of security features and assurance for access
control.
I agree that more work needs to be done to provide all of the necessary
routing and configuration facilities for some classes of VPN users with
IPsec. However, it is not accurate to suggest that using L2TP over IPsec
provides as good a level of security as will be achieved through
appropriate use (perhaps with added options) of IPsec in a native mode.
Steve
Follow-Ups:
References: