[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec Complexity
On Fri, 18 Feb 2000, Stephen Kent wrote:
> Skip,
>
> Unfortunately, IPsec over L2TP looses many of the access control
> features of IPsec, because the receiver no longer examines the inner
> IP header to see if it matches the selectors for the SA via which the
> packet arrived. Since the SA binding is lost as soon as the packet
> leaves the IPsec processing, no later filtering can provide the same
> sort of checks.
This argument has been made many at time so I doubt I am going to shed very much
new information on it. However, my perception is that the only loss incurred is
the ability to provide different levels of security for different traffic
between two peers. For instance the ability to say, FTP traffic gets 3DES and
SHA with lifetimes of 10 min and Telnet gets DES and MD5 with as lifetime of 15
minutes. Since the traffic is hidden underneath the PPP header for L2TP you
lose this ability.
In terms of pure access control, the filters can be applied to the PPP interface
and achieve the same result as if they were applied to the IPSEC tunnel. Again
the only loss is that the PPP interface can not tell which SA the packet arrived
on, but it does know that they packet was at least secured with the appropriate
L2TP security policy.
I am not sure how many customers are really going to worry whether there FTP
traffic has different security parameters than their telnet traffic. I think
for the most part, they will have one security policy for their VPN, and in this
case, L2TP should do just fine. The simplicity argument will most likely
prevail in this case.
-Skip
>
> Steve
>
>
Follow-Ups:
References: