[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Windows 2000 and Cicsco router interoperability

To: "W. Mark Townsley" <townsley@cisco.com>
Subject: RE: Windows 2000 and Cicsco router interoperability
From: Chris Trobridge <CTrobridge@baltimore.com>
Date: Wed, 17 May 2000 15:46:05 +0100
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

> From: W. Mark Townsley [mailto:townsley@cisco.com]

> Chris Trobridge wrote:
> > 
> > The point is that with an IPSEC SA traffic is only allowed 
> that matches the
> > selector for that SA.  In the access control case this 
> means you can enforce
> > that anyone who connects via an IPSEC tunnel can only send 
> or receive
> > datagrams associated with his client address.  This 
> prevents him from
> > spoofing other clients or hosts and from receiving traffic 
> not addressed to
> > him.
> > 
> > The moment you tunnel L2TP through an SA IPSEC loses its 
> ability to perform
> > this filtering.  Depending on the whether 'extra' work has 
> been done, once
> > IPSEC processing has been completed the L2TP layer will not 
> know via which
> > SA a datagram was received, allowing a client to spoof 
> other addresses.
> 
> Why not?
> 
> An SA protects an l2tp tunnel, which carries a PPP session, which
> performed user authentication and authorization. Such authorization is
> the basis for access control lists that can do a number of L3 
> checks on
> the traffic which PPP framed. Here, a direct correlation 
> between a given
> SA, the authenticated user, and finally her authorization for the
> network.

I suppose this all hangs on the binding between the SA, L2TP tunnel and the
PPP session.  I can't claim to be particularly familiar with L2TP, but
comments made much earlier on list suggested that L2TP tunnels aren't
tightly bound to IPSEC SAs.  At the time no one countered this view.  This
was seen to be a weakness that might allow datagrams from one SA to
delivered to an L2TP tunnel end point associated with a different SA.

> ISPs and enterprises have been doing filter checks on incoming PPP
> encapsulated data for years. The requirements for such have evolved
> considerably over this time. I doubt that they want to toss this
> functionality out the door and I cannot blame them.

Given that PPP wasn't required or even present in the first place, I can't
see how you can make comments about throwing functionality out of the door!
The basis this list has been working on is that IP datagrams are tunnelled
from the client to the private network using tunnelling IPSEC-ESP.

Chris

Follow-Ups:

Re: Windows 2000 and Cicsco router interoperability

From: "W. Mark Townsley" <townsley@cisco.com>

Prev by Date: RE: Windows 2000 and Cicsco router interoperability
Next by Date: Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
Prev by thread: RE: Windows 2000 and Cicsco router interoperability
Next by thread: Re: Windows 2000 and Cicsco router interoperability
Index(es):
- Main
- Thread