[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PPP over IPSec (Re: Windows 2000 and Cicsco routerinteroperability)

To: Skip Booth <ebooth@cisco.com>
Subject: Re: PPP over IPSec (Re: Windows 2000 and Cicsco routerinteroperability)
From: Stephen Kent <kent@bbn.com>
Date: Thu, 18 May 2000 20:45:33 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <Pine.GSO.4.10.10005181547310.17880-100000@uzura.cisco.com>
References: <Pine.GSO.4.10.10005181547310.17880-100000@uzura.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Skip,

Thanks for the clarification.  Two observations:

	- The fact that clients are happy with a current level of 
security is not a criteria for what we should be doing.  These same 
clients are regularly the victims of a variety of attacks and 
complain about them, but often fail to see the connection between the 
"best practices" they employ and the residual vulnerabilities that 
are exploited.  In the early 90s  folks insisted that what was needed 
to prevent unauthorized access was better password management, e.g., 
longer passwords and more frequent changes.  I pointed out that 
passive wiretapping was a viable attack, but the response was "but 
attackers don't do that, they just guess bad passwords" and and thus 
the use of encryption is overkill.  Then, when snifffers became 
widely available, there was a push to adopt one-time passwords. I 
pointed out the ability to engage in active wiretaps, including 
session hijacking, but the refrain was "but attacker aren't doing 
that, they're just sniffing" and thus the proposed use of encryption 
was still overkill.  Now we have encrypted sessions via SSL and SSH, 
and people are back to using guessable passwords over these paths. 
When I suggest use of client certs to counter such attacks and more 
subtle DoS attacks, the response is, well, you cam guess.  The 
pattern is all too familiar.

	- The set of filters you describe (without going into 
application layer proxies) sounds appropriate and more powerful than 
the stateless ones required by IPsec.  So, IF there were an IETF 
standard that defined this set of filters and mandated support for 
them in PPP implementations, and IF the L2TP RFCs mandated 
integration of these filters with IKE SA negotiations and mandated 
local binding of SA info to inbound traffic to control these checks, 
THEN the result would seem to be an equivalent (or better) 
alternative to what IPsec provides in tunnel mode, WHEN the L2TP 
modules and the IPsec modules are contained in the same device.  But, 
that's several IF's away from what we have now, and I think that 
justifies the criticisms I have leveled at claims that L2TP over 
IPsec provides equivalent security to native IPsec.

Steve

References:

Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)

From: Skip Booth <ebooth@cisco.com>

Prev by Date: L2TP-IPSec features list
Next by Date: RE: Windows 2000 and Cicsco (sic) router interoperability
Prev by thread: Re: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
Next by thread: RE: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
Index(es):
- Main
- Thread