[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PPP over IPSec (Re: Windows 2000 and Cicsco routerinteroperability)

To: Skip Booth <ebooth@cisco.com>
Subject: Re: PPP over IPSec (Re: Windows 2000 and Cicsco routerinteroperability)
From: Stephen Kent <kent@bbn.com>
Date: Thu, 18 May 2000 13:02:11 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <Pine.GSO.4.10.10005172207010.27509-100000@uzura.cisco.com>
References: <Pine.GSO.4.10.10005172207010.27509-100000@uzura.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Skip,

>  > Finally, in response to the security issues raised by obscuring the
>  > transit selectors from the ipsec machinery, the argument has been made
>  > that ppp provides all the necessary protections. However, this is not
>  > all that reassuring, and conjures up images of the left hand not knowing
>  > what the right hand is doing. Please elaborate a bit on how this
>  > mechanism provides comparable assurance to one where ipsec is employed
>  > alone.
>
>There are certainly two camps here and it almost becomes a religous 
>discussion.
>My argument has always been that protecting L2TP with IPsec provides the same
>level of security which our customers have today with their traditional
>networks. If I have an IPsec SA set up between two peers (A and B), and the
>traffic which is protected between us is A <-> B, UDP, port 1701, 
>1701 than the
>only traffic which L2TP should *ever* see is traffic which arrived 
>from that SA.
>Otherwise it should have been dropped when performing the inbound filtering
>checks by IPsec.  This statement requires no binding between L2TP and IPsec!

I'm confused by this explanation.  IPsec used with L2TP operates in 
transport mode, and it is the inner IP header (carried above L2TP) 
that determines the ultimate destination for the received packet. 
IPsec at the receiver does not see that header, because it is 
operating in transport mode. So, what IPsec filtering at which end do 
you assert is providing the check you cite above?


>Now if I want to limit the type of traffic I allow my peer to send into my
>network, I can apply filters to the PPP interface as has been 
>traditionally done
>by our customers.  They understand how this should be done and how 
>to audit this
>as well.  Additionally, at least for Cisco, they can get this filters on a per
>user basis as part of their authorization information obtained from the AAA
>server.  The additional point which can be made is that the 
>traditional firewall
>filters which can be applied to a PPP interface are much more robust than what
>typically can be applied to IPsec packet filter statements.

In what ways are the filters applied at the PPP interface "more 
robust?" For example, do these filters examine other parts of the 
packet?

Steve

Follow-Ups:

Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)

From: Skip Booth <ebooth@cisco.com>

References:

Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)

From: Skip Booth <ebooth@cisco.com>

Prev by Date: RE: Windows 2000 and Cicsco router interoperability
Next by Date: Re: Windows 2000 and Cicsco router interoperability
Prev by thread: Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
Next by thread: Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
Index(es):
- Main
- Thread