RE: Windows 2000 and Cicsco router interoperability

[Stephen Kent <kent@bbn.com>]

At 11:18 PM -0700 5/16/00, CHINNA N.R. PELLACURU wrote:
>"Several folks have suggested that one might choose to enforce access
>control at the IP layer, but not in the context of IPsec, e.g., by
>passing SA info to a separate firewall for post IPsec checking.  If
>the firewall is part of the same device as the IPsec module, the this
>can be effected in a local fashion that would be consistent with
>2401, as the management interface for the combined firewall/SG would
>have the necessary properties."
>
>That pretty much sums up, what I was trying to say.

Then you did so in a very inarticulate fashion.

>  If you loose
>granularity of access control because you are tunneling traffic in L2TP
>and you are protecting L2TP with IPSec, we can still enforce access
>control outside of the context of IPSec, and let the trust/security flow
>from one module in the system to the other. The main benefit here is that
>we are leveraging services already provided by other modules in the
>system, and don't have to do everything in IPSec.

if the set of access control services is identical, or a superset, 
and if the internal bindings are correctly maintained, then I have no 
objection.

>I think that, this was the main point of contention when we started on
>this thread.
>
>If you feel that I am being paranoid of the letter x, I guess you are
>paranoid about the L2TP protocol, and the whole myth that
>L2TP=Microsoft+Cisco.

Myths almost always have a basis in fact :-).

Steve

---

References:

• RE: Windows 2000 and Cicsco router interoperability
• From: "CHINNA N.R. PELLACURU" <pcn@cisco.com>

---

• Prev by Date: Re: Windows 2000 and Cicsco router interoperability
• Next by Date: Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
• Prev by thread: RE: Windows 2000 and Cicsco router interoperability
• Next by thread: RE: Windows 2000 and Cicsco router interoperability
• Index(es):
  • Main
  • Thread