Re: IPSec Complexity

[Skip Booth <ebooth@cisco.com>]

On Fri, 18 Feb 2000, Dan Harkins wrote:

>   Remember the title of this thread is "IPSec Complexity". It started
> out as a way to get rid of a mode while maintining the functionality of 
> tunneling. There are security issues with that. So now have come full
> circle when the solution to address the security problems (and still
> have tunneling and still get rid of one mode) is more complex than the 
> original tunneling design.

I don't think it is any more complex.  It does removes one mode from IPSEC and
it builds upon infrastuctures which already exists.  L2TP and PPP are very
mature protocols at this point, and the concept of filtering on an interface
like PPP is a very well understood concept (especially by our customers). Anyway
I will reiterate that I think removing either mode from IPSEC is a moot point
since I wonder how seriously any of us think this code happen.

-Skip

> 
>   Dan.
> 
> On Fri, 18 Feb 2000 13:46:24 EST you wrote
> > 
> > I assume you are talking about the traffic within the L2TP+IPSEC tunnel.  You
> > are right that without additional filters on the PPP interfaces associated wi
> >th
> > the secure tunnel, all traffic is permitted as long as it arrived on the SA
> > bundle protecting L2TP.  On the other hand, if only FTP and Telnet traffic is
> > permitted to servers X, Y, and Z, these filters could be defined on the PPP
> > interface.  This configuration moves very transparently in this case, since i
> >n
> > many cases you are essentially replacing a leased/dialup line running PPP wit
> >h a
> > virtual PPP interface running on top of secure IP.
> 
>

---

References:

• Re: IPSec Complexity
• From: Dan Harkins <dharkins@network-alchemy.com>

---

• Prev by Date: Re: IPSec Complexity
• Next by Date: Re: IPSec Complexity
• Prev by thread: Re: IPSec Complexity
• Next by thread: Re: IPSec Complexity
• Index(es):
  • Main
  • Thread