Re: IPSec Complexity

[Dan Harkins <dharkins@network-alchemy.com>]

  Remember the title of this thread is "IPSec Complexity". It started
out as a way to get rid of a mode while maintining the functionality of 
tunneling. There are security issues with that. So now have come full
circle when the solution to address the security problems (and still
have tunneling and still get rid of one mode) is more complex than the 
original tunneling design.

  Dan.

On Fri, 18 Feb 2000 13:46:24 EST you wrote
> 
> I assume you are talking about the traffic within the L2TP+IPSEC tunnel.  You
> are right that without additional filters on the PPP interfaces associated wi
>th
> the secure tunnel, all traffic is permitted as long as it arrived on the SA
> bundle protecting L2TP.  On the other hand, if only FTP and Telnet traffic is
> permitted to servers X, Y, and Z, these filters could be defined on the PPP
> interface.  This configuration moves very transparently in this case, since i
>n
> many cases you are essentially replacing a leased/dialup line running PPP wit
>h a
> virtual PPP interface running on top of secure IP.

---

Follow-Ups:

• Re: IPSec Complexity
• From: Skip Booth <ebooth@cisco.com>
• Re: IPSec Complexity
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: IPSec Complexity
• From: Skip Booth <ebooth@cisco.com>

---

• Prev by Date: Re: IPSec Complexity
• Next by Date: Re: IPSec Complexity
• Prev by thread: Re: IPSec Complexity
• Next by thread: Re: IPSec Complexity
• Index(es):
  • Main
  • Thread