[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows 2000 and Cicsco router interoperability

To: Stephen Kent <kent@bbn.com>
Subject: Re: Windows 2000 and Cicsco router interoperability
From: "W. Mark Townsley" <townsley@cisco.com>
Date: Tue, 16 May 2000 16:10:33 -0400
CC: Jan Vilhuber <vilhuber@cisco.com>, ipsec@lists.tislabs.com
Organization: cisco Systems
References: <Pine.SOL.3.96.1000514113714.24176A-100000@jvilhube-ss20.cisco.com> <v04220803b545d664ab9b@[128.33.238.53]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent wrote:
> 
> At 11:41 AM -0700 5/14/00, Jan Vilhuber wrote:
> >In some people's minds, it's an acceptable trade-off, and others wil think
> >differently.
> >
> >Personally, I don't see much difference with doing a check after decryption
> >and decapsulation, than doing it before. Yes, you may loose some context, but
> >so what.
> >
> >You can either burden IKE and IPSEC with a whole bunch more mechanisms for
> >user-authentication, authorization, and accounting, thus making the protocols
> >even MORE complex (and thus less likely to be completely understood and
> >analyzed for weaknesses), OR you can combine two simple (relatively)
> >mechanisms, and combine them. In fact, it precisely because I DON'T want to
> >revisit these protocols, that I'm advocating l2tp+ipsec.
> >
> >The loss of security you claim exists there, I don't see.
> >
> >jan
> 
> As I noted, if one has lost the binding between a packet and the SA
> via which it arrived, because the access control decision is being

Ah, but the binding is not lost. As I have said to you and on this list
before, there is a 1:1 correlation between the SA, the l2tp session, the
"user-authorized" PPP session, and thus the access control and policy
for that user. This is key to the way l2tp+ipsec is intended to operate.
If you wish, we could even include a section in the l2tp-security draft
that spells this out in a more direct manner. The omission of this
specific text is only due to the fact that it so plainly obvious to
those who have lived and worked in the traditional dialup space for
years. Perhaps it is this kind of input we need, however, to ensure that
we cover all points of reference. 

> made outside the IPsec module, then this decision is being made based
> on unauthenticated inputs, which is no better than what one gets from
> a typical firewall w/o IPsec.  I'd say this is a significant
> degradation of the security potential offered by IPsec.
> 
> Steve

Follow-Ups:

Re: Windows 2000 and Cicsco router interoperability

From: Stephen Kent <kent@bbn.com>

References:

RE: Windows 2000 and Cicsco router interoperability

From: Jan Vilhuber <vilhuber@cisco.com>

RE: Windows 2000 and Cicsco router interoperability

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: generate certificate in Win2K
Next by Date: Re: Windows 2000 and Cicsco router interoperability
Prev by thread: RE: Windows 2000 and Cicsco router interoperability
Next by thread: Re: Windows 2000 and Cicsco router interoperability
Index(es):
- Main
- Thread