[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Windows 2000 and Cicsco router interoperability
Shekhar,
>I can understand the waste of bandwidth by L2TP.
>But, can you please elaborate more on how does L2TP interfere
>with the access controls?
IPsec includes access controls analogous to those of a stateless,
packet filtering firewall. The receiver knows the SA to which each
packet is cryptographically bound, thus it can match the packet
headers (selectors) against those that were negotiated for the SA in
question. If a packet arrives over a tunnel mode SA, the receiving
IPsec implementation checks the inner IP (and transport layer)
header, while in transport mode, the outer IP header (and the inner
transport header). When L2TP is used with IPsec, the L2TP spec calls
for transport mode SAs, which means that only the outer IP header is
checked. Thus the tunneled IP packet is not checked for access
contorl purposes by IPsec.
Once a packet leaves the IPsec environment, this binding to an SA is
lost (unless some non-standard mechanisms are employed to maintain
the binding). So the best that a separate firewall can do is to match
the packet against its filter list to see if it matches ANY filter
rule. This is much less secure.
Steve
Follow-Ups:
References: