RE: Windows 2000 and Cicsco router interoperability

[Stephen Kent <kent@bbn.com>]

  Shekhar,

>I can understand the waste of bandwidth by L2TP.
>But, can you please elaborate more on how does L2TP interfere
>with the access controls?

IPsec includes access controls analogous to those of a stateless, 
packet filtering firewall.  The receiver knows the SA to which each 
packet is cryptographically bound, thus it can match the packet 
headers (selectors) against those that were negotiated for the SA in 
question. If a packet arrives over a tunnel mode SA, the receiving 
IPsec implementation checks the inner IP (and transport layer) 
header, while in transport mode, the outer IP header (and the inner 
transport header).  When L2TP is used with IPsec, the L2TP spec calls 
for transport mode SAs, which means that only the outer IP header is 
checked.  Thus the tunneled IP packet is not checked for access 
contorl purposes by IPsec.

Once a packet leaves the IPsec environment, this binding to an SA is 
lost (unless some non-standard mechanisms are employed to maintain 
the binding). So the best that a separate firewall can do is to match 
the packet against its filter list to see if it matches ANY filter 
rule.  This is much less secure.

Steve

---

Follow-Ups:

• RE: Windows 2000 and Cicsco router interoperability
• From: Jan Vilhuber <vilhuber@cisco.com>

References:

• RE: Windows 2000 and Cicsco router interoperability
• From: "Shekhar Kshirsagar" <skshirsa@nortelnetworks.com>

---

• Prev by Date: RE: Windows 2000 and Cicsco router interoperability
• Next by Date: RE: Windows 2000 and Cicsco router interoperability
• Prev by thread: RE: Windows 2000 and Cicsco router interoperability
• Next by thread: RE: Windows 2000 and Cicsco router interoperability
• Index(es):
  • Main
  • Thread