[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
On Wed, 17 May 2000, Scott G. Kelly wrote:
> > L2tp gives you all those for free via PPP. I see no reason to reinvent them
> > in IKE/IPSEC and clutter the rfc's and the already complex code.
>
> Free? It seems like implementing ppp and l2tp, and then encapsulating
> transit traffic in this, and then encapsulating all that in udp prior to
> encapsulating *that* in ipsec is far from free.
>
I suppose. I'm looking at it from the perspective of one who simply leverages
what the l2tp and PPP groups have written. Hooking it in is mostly free for
me (guilty as charged ;). As I mentioned in private email, I'm sure there are
implementations for l2tp and PPP out there, either freeware or something you
can buy from some company and intergrate into your code. I doubt you'd write
it from scratch. Hooking the two together isn't hard, although some of the
'l2tp needs to know about the SA' issues need to be addressed, which are part
of the 'glue to put the two together (and part of the l2tp security draft
which Mark mentioned).
I'm also looking at it from the point of view of someone who used to work in
the AAA group, so I have a fair amount of experience trying to fit the AAA
framework into yet another application (not painless at all, and I don't
think it's because of our implementation; it's mostly to do with semantics of
the radius attributes). I also wrote our xauth implementation, which was a
hairy experience, and I know PPP somewhat (not too well, though). So much for
my resume ;)
Based on all that, I hate xauth, and I like PPP for this stuff. I'm sorry I
can't make a better argument than that. I guess some of it is gut-feel.
jan
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: