[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec Complexity

To: Skip Booth <ebooth@cisco.com>
Subject: Re: IPSec Complexity
From: Stephen Kent <kent@bbn.com>
Date: Fri, 18 Feb 2000 10:10:08 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <Pine.GSO.4.10.10002172300220.27939-100000@uzura.cisco.com>
References: <Pine.GSO.4.10.10002172300220.27939-100000@uzura.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Skip,

Unfortunately, IPsec over L2TP looses many of the access control 
features of IPsec, because the receiver no longer examines the inner 
IP header to see if it matches the selectors for the SA via which the 
packet arrived.  Since the SA binding is lost as soon as the packet 
leaves the IPsec processing, no later filtering can provide the same 
sort of checks.

Steve

Follow-Ups:

Re: IPSec Complexity

From: Skip Booth <ebooth@cisco.com>

References:

Re: IPSec Complexity

From: Skip Booth <ebooth@cisco.com>

Prev by Date: Re: IPSec Complexity
Next by Date: Re: IPSec Complexity
Prev by thread: Re: IPSec Complexity
Next by thread: Re: IPSec Complexity
Index(es):
- Main
- Thread