[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PPP over IPSec (without L2TP)?



Mr. Huttunen,
Your wrote with following header and content (after the "===" mark):

The question I have is in your last sentence.
" If there are some, which is possible, wouldn't it be
better to enhance IPSec protocol(s) to enable the same, instead of having L2TP?"

Does it sound like you want to "enhance IPSec protocol"?

Regards,

--- David

BTW.  I cc to the same cc you did.

===========================================================

Date: Thu, 14 Oct 1999 12:02:37 +0300
From: Ari Huttunen <Ari.Huttunen@DataFellows.com>
Organization: Data Fellows Oyj
X-Mailer: Mozilla 4.51 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: ietf-ipsra@vpnc.org, ipsec@lists.tislabs.com
Subject: PPP over IPSec (without L2TP)?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-ipsra@mail.vpnc.org
Precedence: bulk
List-Archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-Unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>

At 12:02 PM 10/14/99 +0300, you wrote:
Microsoft's position regarding L2TP is according to http://www.microsoft.com/windows/server/Technical/networking/NWPriv.asp
(partly) the following:

L2TP is a well-defined, interoperable protocol that addresses the current shortcomings of IPSec-only client-to-gateway and gateway-to-gateway scenarios (user authentication, tunnel IP address assignment, and multiprotocol support). L2TP has broad vendor support, particularly among the largest network access equipment providers, and has verified interoperability. By placing L2TP as payload within an IPSec packet, communications benefit from the standards-based encryption and authenticity of
IPSec, while also receiving a highly interoperable way to accomplish user authentication, tunnel address assignment, multiprotocol support, and multicast support using PPP. This combination is commonly referred to as L2TP/IPSec. Lacking a better pure IPSec standards solution, Microsoft believes that L2TP/IPSec provides the best standards based solution for multi-vendor, interoperable client-to-gateway VPN scenarios. Microsoft is working closely with key networking vendors including Cisco, 3Com,
Lucent and IBM, to support this important combination.

I agree that having PPP gives us the stated benefits (and more?). However, I fail to see why there
is a need to have an L2TP (and UDP) layer(s) between PPP and IPSec. As I understand
L2TP, it would give us two benefits a) being able to tunnel PPP over several links, which
IPSec already gives us, and b) being able to specify telephone world things like calling /
called numbers and call failures due to a busy tone, which in a general IP world are non-relevant.

I agree that a lot of Internet connectivity is through a telephone network, but the calling numbers
should not be relied on for any sort of identification, despite what the telephone world people
would like to convince people to believe. The only valid usage for telephone numbers that
I see is call charging, but the ISPs are free to use L2TP for that purpose without there being
any need for IPSec security gateways or IPSec hosts knowing or even caring about it.

So, please show me what benefits PPP over L2TP over IPSec provides when compared
to just running PPP over IPSec? If there are some, which is possible, wouldn't it be
better to enhance IPSec protocol(s) to enable the same, instead of having L2TP?

--
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

Data Fellows Corporation       http://www.DataFellows.com

F-Secure products: Integrated Solutions for Enterprise Security


References: