From: RFC 2661 - http://www.ietf.org/rfc/rfc2661.txt
9.2 Packet Level Security
Securing L2TP requires that the underlying transport make available
encryption, integrity and authentication services for all L2TP
traffic. [snip] As such, L2TP is only concerned with confidentiality,
authenticity, and integrity of the L2TP packets between its tunnel
endpoints[snip]
So....bearing in mind that I only just read the RFC then and am not an
experienced L2TP implementor, I'd say this:
L2TP is basically a PPP extender. What _that_ means is that it takes a
connection that you would have made to your home dialin server and allows
that connection to be made to a different box while still giving you the
illusion that you're connected to your home box. But you knew that.
L2TP does support hiding of "Attribute Value Pairs" (AVPs) and uses MD5 and
a shared secret to do so. As with all MD5 hashing stuff this is vulnerable
to chosen plaintext attacks. This means that if someone can guess the L2TP
shared secret they can break the encryption and get your sensitive AVP. This
encryption is only really intended to hide sensitive AVPs (like individual
usernames and passwords).
The L2TP data messages don't appear to natively support any encryption,
which is as it should be - this is a layer 2 protocol and there are a
million choices for those who want to secure their upper-layer data.
As a service provider: you can run the L2TP packets though IPSec, thus
securing _all_ data that is using L2TP.
As a simple user: you can run IPSec _inside_ the PPP session - this doesn't
require any support from your ISP. Heck, you can roll your own layer 3/4
protocol which supports your own wierd and kooky encryption and run _that_
over the PPP session if you want - the choice is yours.
So basically, I think the answer to your question is probably no, it doesn't
support encryption in the sense I think you're after. As to the rider that
you're interested in Microsoft's implementation.....that's a whole different
story and I'm not even going to think about going there.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Geoff Nordli [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, 24 June 2000 9:59 AM
> To: GNAC firewall list (E-mail)
> Subject: l2tp and encryption
>
>
> Could someone please clarify whether or not L2TP will
> support encryption?
>
> I am really interested in the implementation that Microsoft
> uses. I don't want to embed the L2TP into IPSEC.
>
> thanks,
>
> Geoff Nordli ALI, MCT, MCSE, Master CNE, CCA, A+
> G Nordli & Associates
> 430 Heron Pl.
> Nanaimo BC, V9T 4X7
> Phone: 250-714-4102
> E-mail: [EMAIL PROTECTED]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
