[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Windows 2000 and Cicsco (sic) router interoperability
Barney,
>So, you have communicated to the PPPEXT WG that PPP is worthless
>without detailed specification of the filtering behavior of a PPP
>device? I truly do not understand why L2TP is the single target
>of your scorn.
PPP existed before IPsec and is used independent of IPsec. Only when
L2TP made use of IPsec, in a fashion that is not consistent with the
model developed by the IPsec WG, did this become an issue.
>
>It is my strong impression, from years of reading RFCs and drafts,
>that the primary concern is bits on the wire, with internal operation
>specified only when it is required to ensure interoperability.
That impression is wrong, but it is a common one. A protocol is NOT
just the bits on the wire, it is also the processing (e.g., state
machine) at each end of the wire. Such "internal operation" is often
necessary to ensure interoperability and to provide a well-defined
semantics so that when a vendor says it implements the foo protocol,
customers know what that means.
>Yes, a PPP/L2TP device should not forget what it knows about where
>a packet came from when deciding what filter rules to apply, just
>as an IPsec gateway should not echo decrypted packets out to random
>addresses, and guns should not be fired at one's feet. Duh.
The difference is that the IPsec spec mandates what is to be done re
access control, and thus provides a well-defined security semantics.
The L2TP specs do not do this, but nonetheless claim equivalence.
That's the difference.
Steve
References: