[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)

To: "W. Mark Townsley" <townsley@cisco.com>
Subject: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
From: Ari Huttunen <Ari.Huttunen@F-Secure.com>
Date: Wed, 17 May 2000 10:30:46 +0300
CC: Stephen Kent <kent@bbn.com>, "CHINNA N.R. PELLACURU" <pcn@cisco.com>, ipsec@lists.tislabs.com
Organization: F-Secure Oyj
References: <Pine.GSO.4.10.10005101447140.2714-100000@irp-view5.cisco.com> <v04220804b540d25d02f3@[171.78.30.107]> <3921B453.E9572D4E@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

"W. Mark Townsley" wrote:
> 
> Let's talk facts again. On a highly scaled, high bandwidth system,
> header size becomes increasingly less important. Over slow dialup lines,
> of course, it is worthwhile to try and get the header as small as
> possible. Negotiate PPP ACFC and PFC, and you get 1 byte of PPP header.
> L2TP's typical header for a voluntary tunnel would be either 6 bytes, or
> perhaps even 1 byte if you perform l2tphc.
> 
> 2 bytes (or even 7 bytes w/o l2tphc) of overhead for l2tp and ppp is
> small potatoes compared to ESP tunnel mode on each packet.
> 
> Also, you get all sorts of nifty things that PPP is working on to reduce
> overhead. For instance, draft-ietf-pppext-pppmux-00.txt allows you to
> frame small packets into a single PPP frame. Given IPsec's large header,
> multiplexing small packets into a single frame before encrypting and
> tunneling could result in a *significant* header overhead reduction.
> Care to add that to IPsec's repertoire of features too?
> 

I agree fully that having PPP for remote access provides with
tangible benefits. Something like IPX transport would even be useful
in a gateway to gateway case. It would be very inefficient for IETF
to respecify everything for IPSec without PPP. (This is not to say
that some non-PPP, non-L2TP remote access solution should not be created.)

What I disagree with is putting L2TP between PPP and IPSec. So far
the only reason I've been offered for doing so is that PPP breaks if
the packets are re-ordered during transit. L2TP has a lot of functionality,
but it's all irrelevant if you just want to have a link where the IPSec
and PPP endpoints coincide. (Anyone wanting to do compulsory tunneling
would of course be free to use PPP/L2TP/IPSec.)

I would be very happy to see a standards track RFC that describes
a lightweight method for running PPP over IPSec, usable in a voluntary
tunneling case. The PPP over IPSec combination should be negotiable
through IKE, IKE access controls should apply to whatever traffic comes
out of / goes into PPP, i.e. actual customer traffic.

-- 
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com 

F-Secure products: Integrated Solutions for Enterprise Security

Follow-Ups:

Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)

From: "W. Mark Townsley" <townsley@cisco.com>

References:

Re: Windows 2000 and Cicsco router interoperability

From: "CHINNA N.R. PELLACURU" <pcn@cisco.com>

Re: Windows 2000 and Cicsco router interoperability

From: Stephen Kent <kent@bbn.com>

Re: Windows 2000 and Cicsco router interoperability

From: "W. Mark Townsley" <townsley@cisco.com>

Prev by Date: Re: Windows 2000 and Cicsco router interoperability
Next by Date: RE: Windows 2000 and Cicsco router interoperability
Prev by thread: Re: Windows 2000 and Cicsco router interoperability
Next by thread: Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
Index(es):
- Main
- Thread