[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Windows 2000 and Cicsco router interoperability
On Fri, 12 May 2000, Stephen Kent wrote:
> Shekhar,
>
> >I can understand the waste of bandwidth by L2TP.
> >But, can you please elaborate more on how does L2TP interfere
> >with the access controls?
>
> IPsec includes access controls analogous to those of a stateless,
> packet filtering firewall. The receiver knows the SA to which each
> packet is cryptographically bound, thus it can match the packet
> headers (selectors) against those that were negotiated for the SA in
> question. If a packet arrives over a tunnel mode SA, the receiving
> IPsec implementation checks the inner IP (and transport layer)
> header, while in transport mode, the outer IP header (and the inner
> transport header). When L2TP is used with IPsec, the L2TP spec calls
> for transport mode SAs, which means that only the outer IP header is
> checked. Thus the tunneled IP packet is not checked for access
> contorl purposes by IPsec.
>
> Once a packet leaves the IPsec environment, this binding to an SA is
> lost (unless some non-standard mechanisms are employed to maintain
> the binding). So the best that a separate firewall can do is to match
> the packet against its filter list to see if it matches ANY filter
> rule. This is much less secure.
>
But no less usefull.
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: