[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Windows 2000 and Cicsco router interoperability
At 11:58 PM -0700 5/12/00, Jan Vilhuber wrote:
>On Fri, 12 May 2000, Stephen Kent wrote:
> > Shekhar,
> >
> > >I can understand the waste of bandwidth by L2TP.
> > >But, can you please elaborate more on how does L2TP interfere
> > >with the access controls?
> >
> > IPsec includes access controls analogous to those of a stateless,
> > packet filtering firewall. The receiver knows the SA to which each
> > packet is cryptographically bound, thus it can match the packet
> > headers (selectors) against those that were negotiated for the SA in
> > question. If a packet arrives over a tunnel mode SA, the receiving
> > IPsec implementation checks the inner IP (and transport layer)
> > header, while in transport mode, the outer IP header (and the inner
> > transport header). When L2TP is used with IPsec, the L2TP spec calls
> > for transport mode SAs, which means that only the outer IP header is
> > checked. Thus the tunneled IP packet is not checked for access
> > contorl purposes by IPsec.
> >
> > Once a packet leaves the IPsec environment, this binding to an SA is
> > lost (unless some non-standard mechanisms are employed to maintain
> > the binding). So the best that a separate firewall can do is to match
> > the packet against its filter list to see if it matches ANY filter
> > rule. This is much less secure.
> >
>But no less usefull.
>
>jan
> --
>Jan Vilhuber vilhuber@cisco.com
>Cisco Systems, San Jose (408) 527-0847
If reduced security in a context that focuses on security (else why
use IPsec at all?) is considered equivalent, then maybe we all need
to revisit the goals of these protocols.
Steve
Follow-Ups:
References: