RE: IPSec vs. IPSec/L2TP

[Mark Lewis <mark () mjlnet com>]

> From: "Ghaith Nasrawi" <libero () aucegypt edu>
> To: "security-basics" <security-basics () securityfocus com>
> Subject: RE: IPSec vs. IPSec/L2TP
> Date: Mon, 11 Apr 2005 01:07:03 +0000
>
> The reason people use L2TP is due the need to provide login
mechanism
> to users. IPSec by itself is meant to by a tunneling protocol
in a
> gateway-to-gateway scenario (there are still two modes,
tunnel mode &
> transport mode).

Noooooooo....L2TP is not required to provide a login
mechanism. Although standard IKE phase 1 provides device
authentication (via pre-shared keys/certificates/encrpyted
nonces), mechanisms such as Extended Authentication (XAuth,
see
http://www.watersprings.org/pub/id/draft-beaulieu-ike-xauth-02.txt)
can be used to provide user authentication via a login. XAuth
can take place between IKE phases 1 and 2.

Also, L2TP itself does not provide any user login
authentication at all - L2TP only allows optional
authentication for tunnel endpoints (the LAC and LNS). Any
user authentication is provided by PPP which runs over L2TP.

Hope that helps,

Mark

CCIE#6280 / CCSI#21051 / JNCIS#121 / etc.

Author: http://www.amazon.com/exec/obidos/ASIN/1587051044/


---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------