[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec Complexity
>In terms of pure access control, the filters can be applied to the PPP
interface
>and achieve the same result as if they were applied to the IPSEC tunnel.
Again
>the only loss is that the PPP interface can not tell which SA the packet
arrived
>on, but it does know that they packet was at least secured with the
appropriate
>L2TP security policy.
Steve Kent already pointed out that filters can't ensure that
packets actually came from their intended source, while IPsec
security policy can. One other drawback with filters: you have
no idea what sort of filters your peer might have, since filters
aren't negotiated. It could very well be that you've set up an
L2TP-in-IPsec connection, but the other side has its filters set
such that it's dropping every packet you send, so all the work
you put into encapsulation/encryption/authentication is going to
waste. With IPsec tunnel mode, both sides have to agree on what
the security policy for the tunnel is going to be at Quick Mode
negotiation time; otherwise, the tunnel mode SAs aren't going to
get established in the first place.
That being said, L2TP-in-IPsec is quite useful when you want to
tunnel non-IP traffic (believe it or not, some people do still
use protocols other than IP...), and for many other applications.
Very rarely is there ever one perfect protocol to solve all the
world's problems, and truth be told, that applies to the question
of tunnel vs. transport mode in IPsec as well. The difference
between the two requires far less code than, say, that which is
necessary to authenticate a digital signature with certificates,
regardless of what security protocol one uses...
-Shawn Mamros
E-mail to: smamros@nortelnetworks.com
Follow-Ups: