[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)

To: Skip Booth <ebooth@cisco.com>
Subject: RE: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
From: Claudio Lordello <claudio.lordello@innovation.siemens.ca>
Date: Fri, 19 May 2000 10:04:57 -0400
Cc: ipsec@lists.tislabs.com, Stephen Kent <kent@bbn.com>
Sender: owner-ipsec@lists.tislabs.com


Comment below.

> -----Original Message-----
> From:	Skip Booth [SMTP:ebooth@cisco.com]
> Sent:	Thursday, May 18, 2000 3:59 PM
> To:	Stephen Kent
> Cc:	ipsec@lists.tislabs.com
> Subject:	Re: PPP over IPSec (Re: Windows 2000 and Cicsco router
> interoperability)
> 
	<text deleted>

> > I'm confused by this explanation.  IPsec used with L2TP operates in 
> > transport mode, and it is the inner IP header (carried above L2TP) 
> > that determines the ultimate destination for the received packet. 
> > IPsec at the receiver does not see that header, because it is 
> > operating in transport mode. So, what IPsec filtering at which end do 
> > you assert is providing the check you cite above?
> 
> My point here was that PPP will only see traffic which was sent through
> the L2TP
> tunnel and thus protected by IPsec.  You are indeed correct that the inner
> IP
> address obtained through IPCP is not looked at by IPsec.  However once the
> L2TP/PPP header has been removed, any inbound access lists tied to the PPP
> interface may be applied to the IP packet.  This effectively provides the
> same
> level of security our customers have today with their leased lines and
> dial-up
> connections, which they seem to be pretty happy with.
> 
Just a comment on scalability here. I see access control is happening twice
in this model. One being the IPSec SA access control (i.e., only traffic
between the client's public IP address and the SGW/LNS IP address, for
protocol 1701 is allowed) and then the real access control (the inner IP
packet access control, associated with the PPP interface). While this may be
a non-issue for software-based filtering on the client side, for a high-end
SGW/LNS implementing thousands of access interfaces and making use of
hardware-based packet filtering devices, this potentially implies in either
double filter resources or half number of interfaces. Granted, because the
IPSec SA filter is so simple in this case, it could potentially be done in
the SW side of the switching path. However, there would be some issues with
that as well.

Claudio.

Prev by Date: RE: Windows 2000 and Cicsco (sic) router interoperability
Next by Date: RE: Windows 2000 and Cicsco router interoperability
Prev by thread: RE: PPP over IPSec (Re: Windows 2000 and Cicsco router interoperability)
Next by thread: Re: Windows 2000 and Cicsco router interoperability
Index(es):
- Main
- Thread