[unisog] Opinion on L2TP/IPSEC?

Clark Gaylord cgaylord at vt.edu
Tue Sep 26 03:29:54 GMT 2006


On Mon, 25 Sep 2006 13:15:12 -0500, "Julian Y. Koh"
<kohster at northwestern.edu> said:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> At 13:37 -0400 09/25/2006, Gary Flynn wrote:
> >We're considering enabling L2TP on our VPN concentrator to enable
> >Windows Mobile devices to connect without the need to purchase an
> >IPSEC client.
>
> The Windows (including PocketPC Windows) L2TP client actually rides on
> top of IPSec (don't confuse the real IPSec with MS' co-opted IPSec
> term).  So the security level should be fine.

I love MS bashing as much as the next guy, but this is not accurate. The
MS IPsec implementation seems to be just fine and there are plenty of
people who can attest to successful compatibility w/ FreeSWAN or Cisco
IPsec implementations. What most people refer to as "ipsec" in the MS
world is just IP filtering, but the ESP/AH pieces seem to be fully
functional, as is the certificate based authentication.

You could actually be pedantic and say that using the term "IPsec" to
mean simple IP filtering is not incorrect: it is a null SA with a
transform of "block". :-)

To Gary's question, though, we finally decided "why bother?" after
running PPTP and L2TP+IPsec in parallel for three years with a grand
total of *three* regular L2TP users and hundreds of PPTP users. The
network layer cannot and should never be considered the appropriate
place for "security". The weaknesses of PPTP are a feature -- no one
would ever confuse it with real security -- and it is easier to set up
PPTP than L2TP+IPsec. Just don't let people use passwords they care
about -- again, real security can't happen there anyway -- all you can
hope for is best effort and it's fine for that. Also, PPTP successfully
traverses NAT much more often than IPsec.

For server-to-server communication, IPsec alone is not entirely useless;
for virtual dialup, you may as well shoot yourself and be done with it
rather than try to support any significant user base. To those who say
"why not just use IPsec alone" I ask what they do for AAA -- it isn't
impossible (especially w/ xauth), but I've not known anyone who actually
does it. Having said "network security is a non-sequitur", to the extent
it does exist it is equated with maybe-slightly-better-than-best-effort
traceability. Non-proprietary IPsec-based solutions are usually
completely devoid of useful authorization and accounting. Using a
PPP-based solution gives you a huge wealth of (mostly RADIUS-based)
options.

--ckg


More information about the unisog mailing list