[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec Complexity

To: Stephen Kent <kent@bbn.com>
Subject: Re: IPSec Complexity
From: "W. Mark Townsley" <townsley@cisco.com>
Date: Fri, 18 Feb 2000 14:15:07 -0500
CC: ipsec@lists.tislabs.com
References: <Pine.GSO.4.10.10002181026120.23287-100000@uzura.cisco.com> <v04220804b4d31973edb7@[171.78.30.107]> <38AD7A8C.DD010D8B@cisco.com> <v04220809b4d335627dbf@[171.78.30.107]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent wrote:
> 
> mark,
> 
> The description you provide for filtering seems plausible, but is not
> in any standard. It implies a linkage between PPP, L2TP, and IPsec

The linkage between IPsec and L2TP is a standards track document
(draft-ietf-pppext-l2tp-security-05.txt).

The linkage between L2TP and PPP is a standards track RFC (RFC 2661).

The only missing element is the requirement of filters at the virtual
PPP interface actually defined in an RFC. Filtering traffic on an
interface or based on a PPP user is something that PPP Remote Access
vendors have done for years. Since there are no bits on the wire
required of these features, I suspect that the WG did not see fit to
write up an RFC. However, if we really, really, really, need an RFC for
it to be real, that could certainly be accomplished if we found the
people with the time to write it up and charter under which to publish
it. However, the more important thing to me and my customers is that the
given functionality exists and is available from multiple vendors. That
is certainly the case throughout the industry now. The fact that it is
not in an RFC is purely academic (again, which is not to say that it is
not worthwhile to document).

> that is not defined in any of those standards.  Also, in other than
> the dialup user case, e.g., in extranets and intranets based on
> IPsec, it is not clear that the same linkages will occur.
> 
> So, I guess I'm willing to believe that a vendor could create an
> implementation that maintained the SA linkages you describe, but it

In fact, by linking L2TP and IPsec, you get the filter linkages
described for free. 

We have been doing remote access for years via leased lines and dialup
connections. We have filtering techniques galore for these at either end
of the connection. When you add IPsec for a VPN, in a sense you are
simply replacing the leased line with a tunneled connection over the
Internet. Securing that connection is necessary given that the internet
is a shared public medium, but I do not see why the filter techniques
defined in an IPsec RFC are any more real than those we have already
been using for years. In fact, I think it makes the transistion much
easier for customers to NOT define a whole new protocol, but rather to
use what they are already familiar with.

> would appear that such linkages would be outside the scope of all the
> relevant standards.  Not being a fan of relying on vendor-specific
> implementation conventions to achieve security, I can't be too
> enthusiastic about this approach.
> 
> Steve

Follow-Ups:

Re: IPSec Complexity

From: Stephen Kent <kent@bbn.com>

References:

Re: IPSec Complexity

From: Skip Booth <ebooth@cisco.com>

Re: IPSec Complexity

From: Stephen Kent <kent@bbn.com>

Re: IPSec Complexity

From: "W. Mark Townsley" <townsley@cisco.com>

Re: IPSec Complexity

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: IPSec Complexity
Next by Date: Re: IPSec Complexity
Prev by thread: Re: IPSec Complexity
Next by thread: Re: IPSec Complexity
Index(es):
- Main
- Thread