Re: Windows 2000 and Cicsco router interoperability

["CHINNA N.R. PELLACURU" <pcn@cisco.com>]

And one more benefit of using L2TP/IPSec is, it can support securing IP
multicast traffic, atleast over the vpn link. But if you are using native
IPSec with Mode-config/Xauth, you can't secure multicast traffic, and you
will need to have atleast GRE to do this.

I wonder how much benefit we can get out of "L2TP Header Compression".

Regarding access control, some customers raised concerns that, if a client
has a VPN link connected to the corporate intranet, and is also directly
connected to the Internet, then they can't enforce the corporate firewall
policy on that client, like they can if the client was actually in the
intranet. There were also concerns raised that if the client is
directly connected to the Internet, it could be hacked, and won't be able
to have the same protection that the corporate firewall provides.

There are atleast two ways of dealing with this:

1. put an equalent of the corporate firewall on the client so that it can
defend itself, and also enforce the corporate firewall policy.

2. have a very simple policy on the client that says all traffic will go
via the VPN link to the corporate network, and the client will accept/send
nothing else. This would be the true emulation of the Dial-in remote
access, and this can be acheived naturally using L2TP.

    chinna


On Thu, 11 May 2000, Stephen Kent wrote:

> At 2:54 PM -0700 5/10/00, CHINNA N.R. PELLACURU wrote:
> >I can't speak for the whole of Cisco, but the way I look at it is:
> >
> >Modeconfig/Xauth are being supported as quick hack to get something to
> >work, and get something to customers, until there is a client that can do
> >IPSec and L2TP.
> >
> >I beleive that it is not our long term vision, to ship Modeconfig/Xauth. I
> >beleive that Cisco's long term goal is to follow whatever is standardized
> >in the IPSRA WG, because that's what IPSRA WG is chartered to solve.
> >
> 
> That's one view.
> 
> Another perspective is that L2TP over IPsec represents an effort by 
> Microsoft & Cisco to preserve a joint development investment in L2TP, 
> irrespective of its technical merit in this context :-). If I am 
> sending non-IP packets, L2TP is appropriate, but if I am sending IP, 
> then the extra headers introduced by L2TP are not only wasteful of 
> bandwidth on a continuing basis, but they also interfere with the 
> access controls that are an essential part of IPsec. One needs some 
> means of dealing with bind time connection parameters, but use of 
> L2TP on a continuing basis is an expensive means of achieving this 
> goal.
> 
> Steve
> 
> 

chinna narasimha reddy pellacuru
s/w engineer

---

Follow-Ups:

• Re: Windows 2000 and Cicsco router interoperability
• From: Will Price <wprice@cyphers.net>
• Re: Windows 2000 and Cicsco router interoperability
• From: "CHINNA N.R. PELLACURU" <pcn@cisco.com>

References:

• Re: Windows 2000 and Cicsco router interoperability
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: RE: about compliance
• Next by Date: RE: Windows 2000 and Cicsco router interoperability
• Prev by thread: Re: Windows 2000 and Cicsco router interoperability
• Next by thread: Re: Windows 2000 and Cicsco router interoperability
• Index(es):
  • Main
  • Thread