[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Windows 2000 and Cicsco router interoperability
Glen,
>Stephen Kent [mailto://kent@bbn.com] writes:
>
> > >Mark,
> >
> >
> >
> > >Ah, but the binding is not lost. As I have said to you and on this list
> > >before, there is a 1:1 correlation between the SA, the l2tp session, the
> > >"user-authorized" PPP session, and thus the access control and policy
> > >for that user. This is key to the way l2tp+ipsec is intended to operate.
> > >If you wish, we could even include a section in the l2tp-security draft
> > >that spells this out in a more direct manner. The omission of this
> > >specific text is only due to the fact that it so plainly obvious to
> > >those who have lived and worked in the traditional dialup space for
> > >years. Perhaps it is this kind of input we need, however, to ensure that
> > >we cover all points of reference.
> >
> > And, I have noted before, we have only the assurance of vendors on
> > this important security issue, because no RFCcs specify how this is
> > done. Personally, I'm more comfortable with a standards-specified
> > approach to such security critical issues, rather than the assurances
> > I have received from the L2TP community that "well, everybody does
> > the right thing in their products and we all know it ..."
>
>Such assurances are unnecessary. In the final analysis, if security is
>important to customers, they will buy secure products and configure them
>correctly. If security isn't important to customers, no number of
>'standards-specified approaches' will have any effect.
We owe it to customers to create standards which, if met by vendors,
provide better security. I realize that this may not be the mind set
of some vendors, but I think it the IETF's approach to security
standards.
Steve
References: