Re: IPSec Complexity

[Frederic Detienne <fd@cisco.com>]

Skip Booth wrote:
> 
> On Fri, 18 Feb 2000, Frederic Detienne wrote:
> 
> > >
> > > I agree.  One very nice thing about L2TP+IPSEC is that it looks like a network
> > > interface with security features versus a IPSEC in tunnel mode which is a layer
> > > 3 security transport. Since there is a PPP interface on top of L2TP, all the of
> > > the interface specific stuff runs transparent to IPSEC. There are no Routing
> > > protocol issues and standardized, well deployed MIBs are available for the
> > > interface.  PPP and L2TP also give you built-in keepalives for interface
> > > maintenance.
> >
> 
> > I think the presence of an IPSec tunnel interface is a matter of
> > implementation. Nothing prevents you a priori from having such an interface
> > and you could very well have the traffic run independent of the IPSec thing.
> 
> I agree to some degree.  You certainly can implement a IPSEC tunnel interface.
> Not sure how many SA's you have to set up though. Would you negotiate a new SA
> for every new route you learned?.  This would be very cumbersome for mesh
> connectivity as it would lead to a huge set of SA's. On the other hand I guess
> you could set your filters to encompass all traffic.

There is a potential catch 22 here: do you have routing protocols over IPSec or next to it ?

You can have both (in some cases, you _need_ both). The routing protocols out of IPSec helps establishing the tunnel, the routes you pass through the tunnel helps you not establishing new SA's. Especially in a dynamic environment like TED.

Even with IPSec and no interface, you have that problem. This is more a design issue.

> You also cannot assume at this point that your peer also implements a IPSEC
> Tunnel interface design.  There certainly is nothing in the current set of
> standards which addresses this issue.  With L2TP + IPSEC you know that both
> peers have a PPP interface which is standardized so there are no
> interoperability issues here.

It does not matter. The implementation and/or interface (the set of commands) you offer has little to see with the bits on the wire. The implemenation/interface can prevent users from exploiting the full power of a protocol or conversely allows incorrect things to be defined.

In no way can this affect interoperability (besides the expressivity power). There are examples of interface-enabled IPSec implementations working together with non intercace-enabled implementations.

Notice that you could also run routing protocols over an IPSec tunnel even without having a dedicated interface. This is, again, a matter of overall design and not a problem in IPSec itself.

> >
> > But I agree L2TP has some advantages; it would help in not re-inventing the
> > wheel with IPSec (thinking here of mode config). L2TP however does not have
> > an inherent "configuration" advantage over an IPSec tunnel.
> 
> Not sure what you mean here.  PPP supports a very robust negotiation protocol
> for it's link layer characteristics (LCP), and it's network protocols (NCPs).
> IPCP is the control protocol which PPP uses to set up IP.  IPCP already supports
> address, DNS, WINS, and Gateway assignment.

I was agreeing with you about the advantage of l2tp (parameter negociation). I just wanted to say that beyond the negociation, a tunnel is a tunnel and what you can transport with l2tp, you can do with IPSec.

	fred


-- 
------------------------- * oOo * -------------------------
                        CiscoSystems

                   Frederic Detienne, CDE
                 Security & Network Services

                     Tel 32 2 704 55 55

---

References:

• Re: IPSec Complexity
• From: Skip Booth <ebooth@cisco.com>

---

• Prev by Date: Re: IPSec Complexity
• Next by Date: RE: Bruce Schneier on IPsec
• Prev by thread: Re: IPSec Complexity
• Next by thread: Re: IPSec Complexity
• Index(es):
  • Main
  • Thread