[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PPP over IPSec (Re: Windows 2000 and Cicsco routerinteroperability)
Skip,
Thanks for the clarification. Two observations:
- The fact that clients are happy with a current level of
security is not a criteria for what we should be doing. These same
clients are regularly the victims of a variety of attacks and
complain about them, but often fail to see the connection between the
"best practices" they employ and the residual vulnerabilities that
are exploited. In the early 90s folks insisted that what was needed
to prevent unauthorized access was better password management, e.g.,
longer passwords and more frequent changes. I pointed out that
passive wiretapping was a viable attack, but the response was "but
attackers don't do that, they just guess bad passwords" and and thus
the use of encryption is overkill. Then, when snifffers became
widely available, there was a push to adopt one-time passwords. I
pointed out the ability to engage in active wiretaps, including
session hijacking, but the refrain was "but attacker aren't doing
that, they're just sniffing" and thus the proposed use of encryption
was still overkill. Now we have encrypted sessions via SSL and SSH,
and people are back to using guessable passwords over these paths.
When I suggest use of client certs to counter such attacks and more
subtle DoS attacks, the response is, well, you cam guess. The
pattern is all too familiar.
- The set of filters you describe (without going into
application layer proxies) sounds appropriate and more powerful than
the stateless ones required by IPsec. So, IF there were an IETF
standard that defined this set of filters and mandated support for
them in PPP implementations, and IF the L2TP RFCs mandated
integration of these filters with IKE SA negotiations and mandated
local binding of SA info to inbound traffic to control these checks,
THEN the result would seem to be an equivalent (or better)
alternative to what IPsec provides in tunnel mode, WHEN the L2TP
modules and the IPsec modules are contained in the same device. But,
that's several IF's away from what we have now, and I think that
justifies the criticisms I have leveled at claims that L2TP over
IPsec provides equivalent security to native IPsec.
Steve
References: