[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec Complexity

To: Stephen Kent <kent@bbn.com>
Subject: Re: IPSec Complexity
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Fri, 18 Feb 2000 15:58:13 -0800
CC: "W. Mark Townsley" <townsley@cisco.com>, ipsec@lists.tislabs.com
Organization: Redcreek Communications
References: <Pine.GSO.4.10.10002181026120.23287-100000@uzura.cisco.com> <v04220804b4d31973edb7@[171.78.30.107]> <38AD7A8C.DD010D8B@cisco.com> <v04220809b4d335627dbf@[171.78.30.107]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent wrote:
> 
> mark,
> 
> The description you provide for filtering seems plausible, but is not
> in any standard. It implies a linkage between PPP, L2TP, and IPsec
> that is not defined in any of those standards.  Also, in other than
> the dialup user case, e.g., in extranets and intranets based on
> IPsec, it is not clear that the same linkages will occur.
> 
> So, I guess I'm willing to believe that a vendor could create an
> implementation that maintained the SA linkages you describe, but it
> would appear that such linkages would be outside the scope of all the
> relevant standards.  Not being a fan of relying on vendor-specific
> implementation conventions to achieve security, I can't be too
> enthusiastic about this approach.
> 
> Steve


Howdy,

	I'm not sure yet where I come down on this debate. But I would like to
toss out some thoughts.

	Filtering linkages between PPP, L2TP, and IPsec are not standardized.
Mechanisms for treating an IPsec tunnel as an IGP friendly interface are
not standardized. Either of these would satisfy the majority of thread
models which the business market currently wishes to face. Perhaps other
solutions exist like modifying routing protocols to be IPsec tunnel
friendly instead of modifying IPsec to be IGP friendly. Or again, it has
been suggested on this list before that we could use iBGP and not sweat
making IGPs run. Doing a standardized interface mechanism in IPsec
conqueres more threat models than does chaining together differing
filtering mechanisms on differing partial protocols. The PPP - L2TP -
IPsec(transport) model would be quickest code/implement/bakeoff if we
have the will to go that direction. The world I think alot of us would
like to see in the future is IPsec and PKIs happily coorborating to
solve the worlds problem. And just on an emotional level, I recoil at
the legion of headers required to do the PPP/L2TP thing.

	Once upon a time, I proposed standardizing a IGP friendly IPsec
interface (using IPsec tunnels). For any who are interested see Subject=
"Re: IPSEC tunnels for LAN-to-LAN interop issue" from 2 Sep 99,
messageID=  <37CEAEAF.7E865D31@redcreek.com>. It's a pretty odd idea and
I've not even been able to convince myself to get fully behind it.
Perhaps with some help to clean up the stupid parts...  :-0



-- 
  Ricky Charlet   : Redcreek Communications   : usa (510) 795-6903

References:

Re: IPSec Complexity

From: Skip Booth <ebooth@cisco.com>

Re: IPSec Complexity

From: Stephen Kent <kent@bbn.com>

Re: IPSec Complexity

From: "W. Mark Townsley" <townsley@cisco.com>

Re: IPSec Complexity

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: IPSec Complexity
Next by Date: Re: IPSec Complexity
Prev by thread: Re: IPSec Complexity
Next by thread: Re: IPSec Complexity
Index(es):
- Main
- Thread