[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
I've been asking this question elsewhere, but all the action seems to be
here. That being the case, I'll jump threads. I'm trying to objectively
determine the benefits (and drawbacks) of accepting l2tp/ipsec as a
remote access solution. I'm also interested in whether there are any
other non-rmt-access benefits.
Clearly, folks who have been working on l2tp (and ppp) for years feel
quite strongly about this, but strongly-held views are only helpful here
when backed up with objective reasoning. That's what I'm after.
The point has been made that some sort of aaa infrastructure has been
deployed for dial-up users, and that customers should not be asked to
discard this. Please clarify what components would be discarded if we do
not use l2tp. For example, I know of several ipsec vendors who implement
some sort of radius interaction without using either ppp or l2tp, so it
seems that radius investments are not necessarily in jeopardy here.
Please address this.
Secondly, in response to overhead concerns, the point has been made that
there are various header compression schemes available in ppp/l2tp which
mitigate this. While this response addresses the on-the-wire overhead to
some extent, it ignores the additional packet processing overhead and
complexity that wrapping the packets in 2 more protocols (all the while
doing header compression) entails. Please address this.
Finally, in response to the security issues raised by obscuring the
transit selectors from the ipsec machinery, the argument has been made
that ppp provides all the necessary protections. However, this is not
all that reassuring, and conjures up images of the left hand not knowing
what the right hand is doing. Please elaborate a bit on how this
mechanism provides comparable assurance to one where ipsec is employed
alone.
Scott
Follow-Ups:
References: