[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Re[2]: PPP over IPSec (without L2TP)?

To: <aboba@internaut.com>
Subject: RE: Re[2]: PPP over IPSec (without L2TP)?
From: Stephen Kent <kent@bbn.com>
Date: Fri, 15 Oct 1999 09:50:28 -0400
Cc: <ietf-ipsra@vpnc.org>, <ipsec@lists.tislabs.com>
In-Reply-To: <00fe01bf16a0$f4ff1740$478939cc@internaut.com>
References: <v04020a09b42bbeb0e1b5@[171.78.6.226]>
Sender: owner-ipsec@lists.tislabs.com

Bernard,

>We went through this issue in the L2TP draft and your proposed
>wording was rejected. No "misleading claims" were
>included in the original draft, and in fact it was your proposed
>wording that was rejected as misleading. Let's not go
>rewriting history.

The technical term here is bullshit.  The wording in the RFC is
substantively different from that which was in the document when it was
submitted for IESG approval.  If anyone questions this claim, contact Tom
Narten (the cognizant area director), who mediated the protracted
discussion. While I did not succceed in getting the wording I would have
preferred, and which would more accurately characterize the limitations of
an L2TP + IPsec implementation vs. a native IPsec implementtaion, the
wording did remove some of the technically misleading claims that the RFC
authors had originally made.

>In L2TP it is perfectly possible to apply
>filters to achieve the same level of security. In fact, if
>anything the argument went the other way -- because L2TP
>does user authentication, when run over IPSEC its security
>is stronger than that of IPSEC tunnel mode implementations
>that only do machine authentication and therefore have no
>idea who the user is.

While it MAY be possible to apply filters in L2TP, the standard did not
require it, and there was no standard for such filters at the time this
debate took place.  Moreover, in a modular implementation of L2TP plus
IPsec, the information about the SA with which a packet is associated will
be lost by the time the L2TP filters are applied.  Thus, the filters
cannot, in principle, determine if the traffic is consistent with
parameters for the SA in question. It would seem that, at best, the L2TP
filters can determine if the traffic is consistent with ANY currently
active connection, and at worst they might determine if the traffic is
consistent with ANY connection that might be permitted.

The statement about user vs. machine authentication is incorrect, and
consistent with the misunderstanding of IPsec expressed by some of the L2TP
partisans.  If you read RFC 2401 carefully you will note that IPsec
supports individual user authentication, in both modes.

Steve

References:

Re[2]: PPP over IPSec (without L2TP)?

From: Stephen Kent <kent@bbn.com>

RE: Re[2]: PPP over IPSec (without L2TP)?

From: "Bernard Aboba" <aboba@internaut.com>

Prev by Date: IKE reference implementations
Next by Date: SA bundle negotiation
Prev by thread: Re: PPP over IPSec (without L2TP)?
Next by thread: Re: PPP over IPSec (without L2TP)?
Index(es):
- Main
- Thread