From Ryan.Russell at sybase.com  Sun Jun  6 23:21:32 1999
From: Ryan.Russell at sybase.com (Ryan Russell)
Date: Sun, 6 Jun 1999 20:21:32 -0700
Subject: [OpenSEC] [pptp-server] v0.8.9 released (fwd)
Message-ID: <88256789.00127856.00@gwwest.sybase.com>


---------------------- Forwarded by Ryan Russell/SYBASE on 06/06/99 08:20 PM
---------------------------


Matthew Franz <mdfranz at txdirect.net> on 06/07/99 06:14:22 PM


From matthewr at moreton.com.au  Sun Jun  6 21:08:06 1999
From: matthewr at moreton.com.au (Matthew Ramsay)
Date: Mon, 07 Jun 1999 01:08:06 +0000
Subject: [pptp-server] v0.8.9 released
Message-ID: <mailman.1.1199424601.27325.vpn@lists.shmoo.com>

Hiya all,

PoPToP v0.8.9 has been released!
Grab a copy here:
http://www.moretonbay.com/vpn/download_pptp.html

This release has a *lot* of fixes from David and Peter. Many thanks to
them. Here's the ChangeLog:

v0.8.8 -> v0.8.9
7th June, 1999

- unified CTRL and GRE processes (removed pptpgre), without the vfork
  problem since this is not forking
- changed process name for child processes to pptpd [ip.address.here]
- moved INTERNAL_IP_ALLOCATION to a configure option (see configure
--help)
- added support for libwrap tcp wrappers
- made sure pppd doesn't get copies of file descriptors it shouldn't, so
  it closes down properly
- ****lots**** of other misc fixes

Have fun!
-matt.

_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulte.org!


<----------------------------------------------------------------------->
OpenSEC: Open Security Solutions             Packet Storm Security
http://www.opensec.net         http://www.genocide2600.com/~tattooman



****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From rgm at icsa.net  Mon Jun  7 09:43:47 1999
From: rgm at icsa.net (Robert Moskowitz)
Date: Mon, 07 Jun 1999 09:43:47 -0400
Subject: IPSEC client for Linux?
In-Reply-To: <37582F08.DBCE78F1@compatible.com>
References: <C963A0647AD5D211A74A0090272A68B954EB@WHQ-WIZCOM-EX1>
Message-ID: <4.1.19990607093726.00c07100@homebase.htt-consult.com>

At 01:54 PM 6/4/99 -0600, Chris Volta wrote: 

Although Compatible Systems supports IKE for key negotiation, they do not, as
yet have X.509 certificate support.  So preshared secrets is the current mode. 
This is not so bad, many customers are not interested in certs initially and
although preshared secrets mode does have a man-in-the-middle attack, it is
still quite hard.

Gateways can use Main mode with I **think** only IP address for identities.

Clients have to be supported via IKE Aggresive mode.  This leaves the client's
identity exposed; some feel this is bad, others do not care about the client's
identity.

Also with no RSA Sig support, getting those 10K clients connected will be a bit
of admin work.

But the product looks good on paper.  I did talk to them at N+I...


>
> Compatible Systems offers several hardware based VPN Servers that would meet
> your needs.  The IntraPort Enterprise2 supports up to 10,000 simultaneous
> client connections, 128 LAN-LAN connections, and includes free, unlimited
> client software for Win 95, 98, NT, Macintosh, Solaris and Linux.  All
> Compatible Systems products include a lifetime hardware warranty, lifetime
> overnight replacement policy, lifetime free software updates, and unlimited
> toll-free tech support..  Check out www.compatible.com 



Robert Moskowitz
ICSA, Inc.
        (248) 968-9809
Fax:    (248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished 
if it doesn't matter who gets the credit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/19990607/228f7491/attachment.html 

From rgm at icsa.net  Mon Jun  7 09:48:06 1999
From: rgm at icsa.net (Robert Moskowitz)
Date: Mon, 07 Jun 1999 09:48:06 -0400
Subject: IPSEC client for Linux?
In-Reply-To: <37582669.F9EA486F@iname.com>
References: <C963A0647AD5D211A74A0090272A68B954EB@WHQ-WIZCOM-EX1>
Message-ID: <4.1.19990607094409.00beda60@homebase.htt-consult.com>

At 02:18 PM 6/4/99 -0500, C. Javier Castro Pe?a wrote:
>
>http://www.flora.org/freeswan
>
Note that this is the ONLY internationally developed (thus free of US
export restrictions) IPsec/IKE implementation.  It has undergone a fair
amount of interop testing with many of the gateways.

They have disabled the DES cypher, as John Gilmore (the financial backer,
it seems for freeswan) does not trust DES  ;)   It is easy to add DES
support back in if you really want it.

They do not yet support X.509 certs, so Main Mode with preshared secrets is
the method.  They do support FQDN and rfc822Name identities along with
IPaddress, as I recall.


Robert Moskowitz
ICSA, Inc.
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished 
if it doesn't matter who gets the credit


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From twolsey at realtech.com  Mon Jun  7 10:18:55 1999
From: twolsey at realtech.com (TC Wolsey)
Date: Mon, 07 Jun 1999 10:18:55 -0400
Subject: Question - What is a VPN?
Message-ID: <s75b9cb4.005@gwise-in>

I will attempt to comment in-line, although my MUA makes this more difficult than it should be...:-)

>>> Kent Dallas <KDallas at Intelispan.com> 06/04/99 08:14PM >>>

[SNIP]
> control, your privacy still only extends to the weakest point in your
> implementation, but I  believe that assessing your own weaknesses can
> be much less of a chore than assessing those of your provider. 

Kent Dallas writes:
I agree with the "weakest link" argument, but disagree that a typical
customer is better at assessing their security solution than a service
provider SHOULD be.  And for a couple of reasons:

1)  The hardest mistake (or weakness) to find is the one that you have
created.  It is much easier to find fault in someone else's implementation
than your own.
2)  A typical customer is in some business other than information security.
They are not likely to have the on-staff talent necessary to perform a solid
security assessment.  Service providers SHOULD have the on-staff talent of
sufficient caliber to perform a solid security assessment.
3)  A typical customer does not have any past experience in performing such
an assessment.  Service Providers SHOULD have learned from past mistakes,
and can help a typical customer avoid common errors.

________> TC Wolsey
Yes, looking at my post now, I seemed to imply that an entity would be doing the assessment with their own resources. I agree with you regarding what _should_ be the case in terms of service providers, but if an entity can not properly assess their implementation, than how can they properly assess a service providers? The point that I was driving at is that a private entity can disclose all information relevant to the implementation to those folks that are doing the assessment. They may and probably will be non-employees in the case of most enterprises. Is it reasonable to get the same level of disclosure from a service provider? If so, how are the customers of a provider notified if a detail relevant to the implementation changes? How quickly must a provider respond in the event that a new vulnerability is exposed in an implementation that was previously thought secure? My point (I think there is one here someplace) is that outsourcing a VPN may turn out to require more manag!
ement without a significant security benefit. 

I am not steadfastly opposed to outsourced VPNs, I just fear that they will be marketed and implemented in the same fashion as connectivity services. This is reasonable from the providers standpoint, as they are (presumably) in business for profit, but could leave customers in a bad position. There are many metrics to assess the status of your outsourced connectivity (ie call completion, latency, uptime, so on, so on, ...) but not nearly so many to assess the ongoing status of a production VPN. Service providers can also hack solutions that improve protocols or designs that are inherently flawed, thereby improving their performance or extending their useful lifetime. I do not think VPNs can be addressed in this manner - if the design or implementation is flawed, the security suffers, and hacking together fixes is no way to address the problem. 
__________> TC Wolsey

> Three things that I like to see addressed in the privacy
> component of a VPN solution:

> Confidentiality - assurance that the information is not
> exposed to unauthorized parties
> Integrity - assurance that the information is not modified
> in transit b/w authorized parties
> Authentication - assurance that the information actually originated
> from authorized parties

Kent Dallas writes:
As I wrote in an earlier message on a different thread, "VPNs are not a
security solution.  But they can be a part of one."  I would expect each of
those components, plus three more, in any security solution.  But my VPN
does not have to provide all of them.  The other three are:

Access Control - the ability to control access to resources on a selective
basis
Non-reupidation - the sender cannot deny sending and the recipient cannot
deny recieving
Availability - critical systems are resistant to attacks which limit its
ability to perform

__________> TC Wolsey
Is non-repudiation necessary or practical when the VPN solution is deployed only b/w perimeter gateways? I like to see non-repudiation is some security designs, but not necessarily in a VPN solution. Availability is critical, and should have been part of my list. It will be next time :-)
__________> TC Wolsey

Access Control can also be described as Authorization, which was implied as
a requirement in each of the original three components, so perhaps these are
just two more.  And it is not surprising to that they are often omitted -
few VPN solutions address them.

IF your application could guarantee all of the above components, you
wouldn't need to rely on your network to do it.  There is certainly a market
for adding security features to a network - but the market only exists
because the appropriate security mechanisms are not in place where they
should be, IMHO... I agree with the posts of Suzette Szostwoski and Jay
Wack.

> From:	John Fulmer [john.d.fulmer at mail.sprint.com] 
> Sent:	Friday, June 04, 1999 9:27 AM
> Subject:	Re: Question (fwd)

> AFAIK, common terminology is that "Virtual Private Network" implies an
> encrypted, encapsulated conduit (which, granted often may be turned off
> in any given implementation.) and 'tunnel' implies only an encapsulated
> conduit. Or, in other words, a VPN is an encrypted tunnel.

________> TC Wolsey
Crypto and encapsulation do not necessarily have to go together. Schemes where the crypto keys are communicated out-of-band and the encrypted messages do not carry the overhead of encapsulation may be feasible in some cases.
________> TC Wolsey

> Is there something wrong with this definition?

No, as long as you understand that it is your own creation, and not
necessarily shared by everyone else.  I think it would certainly be safe to
state it the other way around: that an encrypted tunnel is a VPN.

If you believe otherwise, you are taking a position that encryption is the
only way to provide privacy (or confidentiality, whichever) - it isn't, and
that tunnels are the only way to provide a virtual network - they aren't.

Regards,
Kent Dallas

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com 

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html 

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com 

****************************************************************

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From cvolta at compatible.com  Mon Jun  7 19:09:08 1999
From: cvolta at compatible.com (Chris Volta)
Date: Mon, 7 Jun 1999 17:09:08 -0600
Subject: IPSEC client for Linux?
Message-ID: <v01540b0eb381e84d81dc@[198.41.8.25]>

Thanks Robert,

As a side note, Compatible Systems expects to release X.509 certificate
support next month.

However, we believe that RADIUS and/or SecurID is more practical for large
enterprise VPN implementations in the near term, even for 10k's of users.

Some of the Fortune 500 companies who have implemented our Enterprise VPN
solutions simply use a SecurId user name (encrypted by our client) that is
different from the IKE phase 1 identity.  This allows their users to log in
without exposing their identity.

Chris

>
>Although Compatible Systems supports IKE for key negotiation, they do not, as
>yet have X.509 certificate support.  So preshared secrets is the current mode.
>This is not so bad, many customers are not interested in certs initially and
>although preshared secrets mode does have a man-in-the-middle attack, it is
>still quite hard.
>
>Gateways can use Main mode with I **think** only IP address for identities.
>
>Clients have to be supported via IKE Aggresive mode.  This leaves the client's
>identity exposed; some feel this is bad, others do not care about the client's
>identity.
>
>Also with no RSA Sig support, getting those 10K clients connected will be a bit
>of admin work.
>
>But the product looks good on paper.  I did talk to them at N+I...
>
>
>At 01:54 PM 6/4/99 -0600, Chris Volta wrote:
>>
>> Compatible Systems offers several hardware based VPN Servers that would meet
>> your needs.  The IntraPort Enterprise2 supports up to 10,000 simultaneous
>> client connections, 128 LAN-LAN connections, and includes free, unlimited
>> client software for Win 95, 98, NT, Macintosh, Solaris and Linux.  All
>> Compatible Systems products include a lifetime hardware warranty, lifetime
>> overnight replacement policy, lifetime free software updates, and unlimited
>> toll-free tech support..  Check out www.compatible.com
>
>
>
>Robert Moskowitz
>ICSA, Inc.
>        (248) 968-9809
>Fax:    (248) 968-2824
>rgm at icsa.net
>
>There's no limit to what can be accomplished
>if it doesn't matter who gets the credit



Chris Volta
Channel Sales Manager
Compatible Systems
4730 Walnut Street
Boulder, CO  80301

Toll Free (800) 356-0283
Direct  (303) 381-2872
Fax     (303) 444-9595
http://www.compatible.com
cvolta at compatible.com



****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From eric_h at earthlink.net  Tue Jun  8 15:19:22 1999
From: eric_h at earthlink.net (Eric Henriksen)
Date: Tue, 8 Jun 1999 12:19:22 -0700
Subject: Fw: Question (fwd)
Message-ID: <003501beb1e4$e005f820$02c8a8c0@eric.redcreek.com>



From eric_h at earthlink.net  Tue Jun  8 12:02:00 1999
From: eric_h at earthlink.net (Eric Henriksen)
Date: Tuesday, June 08, 1999 12:02 PM
Subject: Question (fwd)
Message-ID: <mailman.2.1199424601.27325.vpn@lists.shmoo.com>


>VPN means alot of different things to different people.  It's good that
>you have defined your terms clearly.  Within the IPSec VPN recomendations,
>what you are referring to are ESP Tunnels.  You could also use SSH,
>or PPTP, or L2TP encapsulating protocols combined with decent encryption
>to achieve this.  With this, AT&T's VPNS does NOT qualify as a VPN, since
>they are merely providing access lists in edge routers that the customer
has
>no
>management control over.  Many other carriers/ISPs are not providing
>integrated
>VPNs at all, but rather are partnering with vendors like ourselves to
create
>the solution (these include Cox, @Home, TGC/Cerfnet, etc).  Also, while QoS
>is an essential requirement of corporate network services, it is not
>presently
>available across the Internet, only on the access links via various queue
>mgmt
>schemes.  You may want to refer to one of the key players in bringing QoS
to
>the network layer via MPLS: http://www.ennovatenetworks.com/mpls/index.htm
>This will, however take some amount of time and cooperation by not just the
>vendors, but also the backbone Internet service providers to achieve this
>end-end
>with any reasonable coverage.
>
>Finally, it is the cost argument presented by the Internet that is offering
>IP VPNs
>the leverage and momentum they are enjoying over such connections over
>other more expensive backbones.  Anyone who can add QoS and security to
>the public Internet will be justly rewarded.
>
>Eric Henriksen
>Field SE Manager,
>RedCreek Communications, Inc
>Tel   336 297-4544
>Fax   336 297-4644
>www.redcreek.com
>-----Original Message-----
>From: Sanjay Kaul <skaul at fuji-keizai.com>
>To: Ryan Russell <Ryan.Russell at sybase.com>
>Cc: vpn at listserv.secnetgroup.com <vpn at listserv.secnetgroup.com>
>Date: Thursday, June 03, 1999 12:55 PM
>Subject: Re: Question (fwd)
>
>
>>Thanks for responding Ryan; let me clarify more...
>>
>>1. I do agree and believe that VPNs can be implemented on top of any
>>network... and, i agree with yr def of seeing some tunneling and
encryption
>>in FR before calling them VPNs !
>>
>>2. I was reading a paper from Sprint; it says they offer Data VPNs that
can
>>be on top of FRs, IP and ATMs. I hope their def of VPNs is same as ours.
>>(i.e. use of tunneling and encryption)
>>
>>3. My understanding is that the growth of VPN-based services will be
>>largely as IP-based networks.  companies such as AT&T have their own IP
>>backbones and they can offer VPN data services on this backbone.  I
believe
>>many telcos and large ISPs will use Internet or their own IP-backbones to
>>offer VPN-based services, since, incorporating VPN technology basically
>>means tunneling, encryption, QoS, etc. Is this correct ?
>>
>>Also, even if some companies say that VPNs can be deployed on top of any
>>network (such as ATM, FR, etc.), is it not correct that IP-VPN based
>>services will have bulk of the market ?
>>
>>Any comments ?
>>
>>Sanjay
>>
>>Sanjay Kaul
>>Fuji-Keizai USA Inc.
>>Tel: 212.371.4812; Fax: 212.758.9040
>>http://www.fuji-keizai.com
>>
>>
>>****************************************************************
>>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>>
>>The VPN FAQ (under construction) is available at
>>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>>
>>We are currently experiencing "unsubscribe" difficulties.  If you
>>wish to unsubscribe, please send a message containing the single line
>>"unsubscribe vpn your-e-mail-address" to
owner-vpn at listserv.secnetgroup.com
>>
>>****************************************************************
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From eric_h at earthlink.net  Tue Jun  8 15:26:51 1999
From: eric_h at earthlink.net (Eric Henriksen)
Date: Tue, 8 Jun 1999 12:26:51 -0700
Subject: Question (fwd)
Message-ID: <003801beb1e4$e0e7cca0$02c8a8c0@eric.redcreek.com>

To be clear, various terms including the words 'virtual', 'private', and
'data' have been misused over the years by a number of carriers to represent
collections of WAN services which are structured to be like dedicated data
or voice networks, but may not have been.  Sprint is included in this
muddying of the waters in the interest of selling large integrated service
contracts to corporate America.

Also, RedCreek has been using the term "Secure VPN" to distinguish between
the misuses of "VPN" and what constitutes IPSec VPNs.

Eric Henriksen
Field SE Manager,
RedCreek Communications, Inc
Tel   336 297-4544
Fax   336 297-4644
www.redcreek.com
-----Original Message-----
From: John Fulmer <john.d.fulmer at mail.sprint.com>
To: vpn at listserv.secnetgroup.com <vpn at listserv.secnetgroup.com>
Date: Thursday, June 03, 1999 3:32 PM
Subject: Re: Question (fwd)


>dgoldsmi at erols.com wrote:
>
>> If a company connects multiple offices
>> together via the Internet (Frame Relay, ISDN, analog lines, etc), then
they
>> have a "virtual private network".
>
>This doesn't make any sense. If you have multiple offices connected via
>the internet without benefit of encryption, there is no 'private'
>whatsoever. Maybe you have a "VN". :)
>
>>
>> Vendors are now using the term "Secure VPN" for their products that
involve
>> encryption and/or tunneling.
>
>Which vendors are using "Secure VPN" vs just VPN? I did a brief check
>with Lucent, Nortel and Cisco, and they all use standard "VPN"
>terminology.
>
>jf
>
>--
>John Fulmer
>Manager, Sprint Corporate Security
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties.  If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From tbird at secnetgroup.com  Tue Jun  8 15:01:13 1999
From: tbird at secnetgroup.com (Tina Bird)
Date: Tue, 08 Jun 1999 14:01:13 -0500
Subject: Question (fwd)
Message-ID: <4.1.19990608135451.009929f0@mail.secnetgroup.com>

>Also, RedCreek has been using the term "Secure VPN" to distinguish between
>the misuses of "VPN" and what constitutes IPSec VPNs.
>
>Eric Henriksen

I've listened to the "what's a VPN" fray for as long as I can handle...

my only quibble with Eric, here, is that IPSec based VPNs do not typically
perform strong >>user<< authentication, which is slightly different from
certificate-based >host< authentication.

Most of my corporate customers are using VPN for remote access, and
want the reassurance of a token-based user authentication system 
IN ADDITION TO the protection offered by certs or PKI.  So when >I<
say "secure VPN," I mean:
	
	encryption
	user >and< host authentication
	packet integrity protection
	NAT or other mechanisms to hide my internal network

When I last evaluated the subscription VPN services (which was,
admittedly, quite some time ago -- I've got this ridiculous 
prejudice against outsourcing my perimeter security), none of them
came anywhere close to offering this level of protection.

Also please note that the FAQ addresses this issue:

http://kubarb.phsx.ukans.edu/~tbird/FAQ.html#Q3:

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From dnewman at cmp.com  Tue Jun  8 16:11:16 1999
From: dnewman at cmp.com (dnewman at cmp.com)
Date: Tue, 8 Jun 1999 16:11:16 -0400
Subject: Question (fwd)
Message-ID: <8525678A.006F0955.00@NotesSMTP-01.cmp.com>


Sometimes even user-level authentication isn't granular enough; it may also be
desirable to authenticate specific applications or processes.

Example 1: An online banking app should authenticate the user *and* the
application the user runs (so that the user runs only the banking app and not an
nmap scan to find vulnerabilities on the bank's site).

Example 2: Automated ordering systems where some transactions are secure and
others aren't--think of an assembly-line machine at a factory that tells
suppliers when it needs to be refilled (a customer order, authentication
required) and also monitors output, operating speed, temperature, etc.
(monitoring functions, no authentication required).

dn





Tina Bird <tbird at secnetgroup.com> on 06/08/99 03:01:13 PM


From eric_h at earthlink.net  Tue Jun  8 20:12:48 1999
From: eric_h at earthlink.net (Eric Henriksen)
Date: Tue, 8 Jun 1999 17:12:48 -0700
Subject: Question (fwd)
Message-ID: <00cb01beb20c$d330e060$02c8a8c0@eric.redcreek.com>

Excellent point.  'Strong Authentication' as is provided by
the DH component of the IKE keying is strictly tied to the
owner of the certificate, which is normally a gateway device
or a host computer.  'Strong User Authentication' in this
paradigm would require that the user have possession
of the cert, vis-a-vis a smart card or one of the newly
announced USB based token/cert products.  This is neither
commonly available, nor practical at this time.  For this,
we recommend using a RADIUS-based challenge-response
mechanism that would be capable of challenging such
token-based one time passwords.  Much like a firewall
would, the Ravlins would proxy the RADIUS login and
present the challenge via dll on the client pc.

Regarding 'Message Integrity', that follows from the
fact that the DES keys are generated based on seed
information passed during ISAKMP Phase II plus the
DH session keys.  Additional per-packet authentication
can be provided using one of the HMAC algorithms.

NAT is yet another issue not always handled by the
VPN gateway, but rather by the firewall or access
router.  However, the ESP encapsulation of the private
addresses into IP protocol 50 (ESP) packets that
'source' from the VPN gateway/peer to the 'destination'
VPN gateway/peer would solve the Internet routability
and address confidentiality problem.

Hope that helps.

-----Original Message-----
From: Tina Bird <tbird at secnetgroup.com>
To: vpn at listserv.secnetgroup.com <vpn at listserv.secnetgroup.com>
Date: Tuesday, June 08, 1999 12:45 PM
Subject: Re: Question (fwd)


>>Also, RedCreek has been using the term "Secure VPN" to distinguish between
>>the misuses of "VPN" and what constitutes IPSec VPNs.
>>
>>Eric Henriksen
>
>I've listened to the "what's a VPN" fray for as long as I can handle...
>
>my only quibble with Eric, here, is that IPSec based VPNs do not typically
>perform strong >>user<< authentication, which is slightly different from
>certificate-based >host< authentication.
>
>Most of my corporate customers are using VPN for remote access, and
>want the reassurance of a token-based user authentication system
>IN ADDITION TO the protection offered by certs or PKI.  So when >I<
>say "secure VPN," I mean:
>
> encryption
> user >and< host authentication
> packet integrity protection
> NAT or other mechanisms to hide my internal network
>
>When I last evaluated the subscription VPN services (which was,
>admittedly, quite some time ago -- I've got this ridiculous
>prejudice against outsourcing my perimeter security), none of them
>came anywhere close to offering this level of protection.
>
>Also please note that the FAQ addresses this issue:
>
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html#Q3:
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties.  If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From guy.raymakers at europe.eds.com  Wed Jun  9 03:51:30 1999
From: guy.raymakers at europe.eds.com (guy.raymakers at europe.eds.com)
Date: Wed, 9 Jun 1999 08:51:30 +0100
Subject: IPsec tunnel set-up
Message-ID: <C125678B.002B49AD.00@beanmg01.cyberlink.eds.com>




Hi,

I'm rather new to these VPN stuff, but I was asked to look at different
products/protocols to build a VPN.  Currently I'm doing some tests with a Nortel
CES2000 and a Nortel Nautica 250. The IPsec protocol is working fine but now I
still have question about the security aspect of this solution. Is there someone
using the same setup (CES2000 and N250) that can tell me what authentication and
encryption they use ? Also what is the experience with this product line ?

Many Thanks,
Guy Raymakers
Belgium


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From Barry.Schon at hbfuller.com  Wed Jun  9 10:00:44 1999
From: Barry.Schon at hbfuller.com (Barry Schon)
Date: Wed, 09 Jun 1999 09:00:44 -0500
Subject: IPsec tunnel set-up
Message-ID: <s75e2d5c.075@hbfuller.com>

>>>> <guy.raymakers at europe.eds.com> 06/09 2:51 AM >>>
>Hi,
>
>I'm rather new to these VPN stuff, but I was asked to look at different
>products/protocols to build a VPN.  Currently I'm doing some tests with a Nortel
>CES2000 and a Nortel Nautica 250. The IPsec protocol is working fine but now I
>still have question about the security aspect of this solution. Is there someone
>using the same setup (CES2000 and N250) that can tell me what authentication and
>encryption they use ? Also what is the experience with this product line ?
>
>Many Thanks,
>Guy Raymakers
>Belgium

I am receiving today tomorrow from Nortel a CES1500 for testing purposes.  I'd be happy to help after I have some time to take a look at something other than documentation.  I am currently planning on using IPSec with ESP in Tunnel Mode (Triple DES/MD5 or just DES, depending on export restrictions), external RADIUS via Shiva Access Manager (internal LDAP groups), and the Contivity Extranet Client with iPass roaming services.  I believe the security of this setup is good, and to get better you have to add token (host) based security like SecurID and/or PKI (the only one currently supported until v2.5 is Entrust), which we will be considering later.  Also, centrally we'll have two CES4500s.  I'll know more of course once I get moving on our testing but I'd be happy to keep in contact to share results.

Regards,
-Barry
H.B. Fuller VPN Project Lead

Barry Schon
Network Analyst
Corporate IT - Network Services/WAN
H.B. Fuller Company
1275 Grey Fox Rd.
Arden Hills, MN, USA 55112

barry.schon at hbfuller.com
Ph: +1 (651) 236-4114
Fax: +1 (651) 236-4444

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From JohnN at review.com  Wed Jun  9 09:50:23 1999
From: JohnN at review.com (John Nanas)
Date: Wed, 9 Jun 1999 09:50:23 -0400 
Subject: Alternate connectivity VPN..
Message-ID: <8B5C596DA5D1D11193AB0000F840F872037EB45D@exchange.review.com>

Hi all-

Quick question, and I'll get out of your hair.

Has anyone had any experience with a low cost VPN device that has two
Ethernet interfaces?  Some of our end offices are dying to go with alternate
connectivity types such as DSL and cable modem, but I'd like to keep the
solution the same between all offices (which is impossible to do, since it
seems that every service provider seems to have his or her own
router/modem).

I figured I could get a VPN router, with two Ethernet interfaces, and put it
before the provider's modem in order to put the encryption into place (I'd
prefer IPSec).  I was looking at a Cisco 1720, but it doesn't offer two
Ethernet interfaces.  I was also looking into Cisco's 2624, but the
encryption speed is very slow (I'd never get a full T out of it - right now
they're spec'ing out 256 kb at 3-DES).

Anyone have any suggestions or good experiences they could share?

Thanks,
John Nanas
Network Systems Engineer
The Princeton Review

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From dnewman at cmp.com  Wed Jun  9 11:08:03 1999
From: dnewman at cmp.com (dnewman at cmp.com)
Date: Wed, 9 Jun 1999 11:08:03 -0400
Subject: Question (fwd)
Message-ID: <8525678B.005347EB.00@NotesSMTP-01.cmp.com>


Completely agree, TC. My point was simply that user-level authentication, by
itself, may not be sufficient, just as host authentication isn't enough.

dn





"TC Wolsey" <twolsey at realtech.com> on 06/09/99 11:12:19 AM


From twolsey at realtech.com  Wed Jun  9 11:12:19 1999
From: twolsey at realtech.com (TC Wolsey)
Date: Wed, 09 Jun 1999 11:12:19 -0400
Subject: Question (fwd)
Message-ID: <s75e4c38.005@gwise-in>

>
>Sometimes even user-level authentication isn't granular enough; it may also be
>desirable to authenticate specific applications or processes.
>
>Example 1: An online banking app should authenticate the user *and* the
>application the user runs (so that the user runs only the banking app and not an
>nmap scan to find vulnerabilities on the bank's site).
>
>Example 2: Automated ordering systems where some transactions are secure and
>others aren't--think of an assembly-line machine at a factory that tells
>suppliers when it needs to be refilled (a customer order, authentication
>required) and also monitors output, operating speed, temperature, etc.
>(monitoring functions, no authentication required).
>
>dn
>
I agree that user-level authentication granularity may not be enough in all instances, but authentication may not be the solution to the problem either. In the examples above, I would think that authentication (presentation of valid credentials) is not as important as content validity (each discrete unit of information that the client sends is valid in context). This is no doubt a component of a secure infrastructure, but do you want this to be part of the VPN component? I believe that most current VPN offerings are geared towards providing some mix of confidentiality and integrity for information, but only for the during the time that information is exposed on the "public" transit medium. I think that this separation of confidentiality and integrity from content validity is a good idea as it allows trusted and non-trusted data streams to be muxed over the same communications channel. 
>
>
>
>
>Tina Bird <tbird at secnetgroup.com> on 06/08/99 03:01:13 PM
>
>To:   vpn at listserv.secnetgroup.com 
>cc:
>bcc:  David Newman/NYC/CMPNotes
>Subject:  Re: Question (fwd)
>
>
>
>
>>Also, RedCreek has been using the term "Secure VPN" to distinguish between
>>the misuses of "VPN" and what constitutes IPSec VPNs.
>>
>>Eric Henriksen
>
>I've listened to the "what's a VPN" fray for as long as I can handle...
>
>my only quibble with Eric, here, is that IPSec based VPNs do not typically
>perform strong >>user<< authentication, which is slightly different from
>certificate-based >host< authentication.
>
>Most of my corporate customers are using VPN for remote access, and
>want the reassurance of a token-based user authentication system
>IN ADDITION TO the protection offered by certs or PKI.  So when >I<
>say "secure VPN," I mean:
>
>     encryption
>     user >and< host authentication
>     packet integrity protection
>     NAT or other mechanisms to hide my internal network
>

In an environment where VPN peers are single user hosts, is there a significant difference b/w host and user authentication, other than where the credentials are stored? Would your customers feel better if the private keys that match the cert used for authentication could fit in their pocket? I know that my customers probably would, the most likely justification being that the exposure to theft is reduced. I am more concerned with the useful lifetime of the credentials used for authentication. Many token based authentication schemes limit the effective lifetime of an authentication credential to a single use. OTOH certs may be issued with an effective lifetime measured in months or years. 

In the environment where the VPN peer is a multi-user host or network gateway system, how do you handle authentication which requires human interaction? There are likely many workarounds for this, but it seems that it would be difficult to manage. Would it be better to say that a secure VPN offers host authentication and user authorization? An authenticated host can bring up an encrypted channel, but the traffic over that channel is subject to policy. The policy may be implemented by authorization constraints. 

>When I last evaluated the subscription VPN services (which was,
>admittedly, quite some time ago -- I've got this ridiculous
>prejudice against outsourcing my perimeter security), none of them
>came anywhere close to offering this level of protection.

Just sign here, here and here. You will be all set....really.... ;-)

>
>Also please note that the FAQ addresses this issue:
>
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html#Q3: 

--tcw

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From chost at lanl.gov  Wed Jun  9 14:02:42 1999
From: chost at lanl.gov (Cheryl Host)
Date: Wed, 9 Jun 1999 12:02:42 -0600
Subject: Alternate connectivity VPN..
Message-ID: <002b01beb2a2$456d7540$1672a580@chost-dell.lanl.gov>

I met with a vendor, Assured Digital, Inc., yesterday.  They have a $1300
box with 2 Ethernet interfaces.  Have not used their product though.
see http://www.assured-digital.com

-----Original Message-----
From: John Nanas <JohnN at review.com>
To: vpn at listserv.secnetgroup.com <vpn at listserv.secnetgroup.com>
Date: Wednesday, June 09, 1999 10:21 AM
Subject: Alternate connectivity VPN..


>Hi all-
>
>Quick question, and I'll get out of your hair.
>
>Has anyone had any experience with a low cost VPN device that has two
>Ethernet interfaces?  Some of our end offices are dying to go with
alternate
>connectivity types such as DSL and cable modem, but I'd like to keep the
>solution the same between all offices (which is impossible to do, since it
>seems that every service provider seems to have his or her own
>router/modem).
>
>I figured I could get a VPN router, with two Ethernet interfaces, and put
it
>before the provider's modem in order to put the encryption into place (I'd
>prefer IPSec).  I was looking at a Cisco 1720, but it doesn't offer two
>Ethernet interfaces.  I was also looking into Cisco's 2624, but the
>encryption speed is very slow (I'd never get a full T out of it - right now
>they're spec'ing out 256 kb at 3-DES).
>
>Anyone have any suggestions or good experiences they could share?
>
>Thanks,
>John Nanas
>Network Systems Engineer
>The Princeton Review
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties.  If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From Christine.Nguyen at US.DataFellows.COM  Thu Jun 10 14:41:56 1999
From: Christine.Nguyen at US.DataFellows.COM (Nguyen, Christine)
Date: Thu, 10 Jun 1999 11:41:56 -0700
Subject: Alternate connectivity VPN..
Message-ID: <F95DD5F69301D311BCA500A0C9E04A480FD4C5@dfserver05.us.datafellows.com>

Hi all,

I know the VPN software from Data Fellows that use on 95/98/NT40 that can
have 2 Ethernet Interfaces supported and the speed is pretty fast too.
Check this out:
http://www.datafellows.com/f-secure/vpn-plus/

Let me know what you think.
Christine Nguyen, Product manager.  Network Security Solution.

-----Original Message-----
From: John Nanas [mailto:JohnN at review.com]
Sent: Wednesday, June 09, 1999 6:50 AM
To: vpn at listserv.secnetgroup.com
Subject: Alternate connectivity VPN..


Hi all-

Quick question, and I'll get out of your hair.

Has anyone had any experience with a low cost VPN device that has two
Ethernet interfaces?  Some of our end offices are dying to go with alternate
connectivity types such as DSL and cable modem, but I'd like to keep the
solution the same between all offices (which is impossible to do, since it
seems that every service provider seems to have his or her own
router/modem).

I figured I could get a VPN router, with two Ethernet interfaces, and put it
before the provider's modem in order to put the encryption into place (I'd
prefer IPSec).  I was looking at a Cisco 1720, but it doesn't offer two
Ethernet interfaces.  I was also looking into Cisco's 2624, but the
encryption speed is very slow (I'd never get a full T out of it - right now
they're spec'ing out 256 kb at 3-DES).

Anyone have any suggestions or good experiences they could share?

Thanks,
John Nanas
Network Systems Engineer
The Princeton Review

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From chris at momentum.com.sg  Thu Jun 10 04:35:59 1999
From: chris at momentum.com.sg (Christopher Swallow)
Date: Thu, 10 Jun 1999 16:35:59 +0800
Subject: IPSec/G3 Powerbook
Message-ID: <6187AA421C13D311AA490004AC770DAC1634@MOMENTUM>

Hi VPNers

Found your website whilst searching for info. on VPNs. I'm a graphic
designer who has recently helped set up a VPN in my office with Cisco
Systems. We now want remote access, but the Cisco engineers don't know
whether IPSec software is available for a new Apple G3 Powerbook with
Mac O.S 8.1

Any help would be greatly appreciated.

Thanks

Chris

Christopher Swallow
WWW.Designer
Momentum Design Pte Ltd
103 Beach Road
Premier Centre #04-02 
Singapore 189704

Tel: 334 3456
Fax: 339 0009

www.momentum.com.sg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 1531 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/19990610/7a5c00e4/attachment.bin 

From chouanard at parc.xerox.com  Fri Jun 11 13:20:02 1999
From: chouanard at parc.xerox.com (Jean Chouanard)
Date: Fri, 11 Jun 1999 10:20:02 PDT
Subject: Alternate connectivity VPN..
In-Reply-To: <8B5C596DA5D1D11193AB0000F840F872037EB45D@exchange.review.c
 om>
Message-ID: <4.2.0.54.19990611101743.03952f00@thelma.parc.xerox.com>

you may want to have a look on the RedCreek products.
www.redcreek.com

At 06:50 AM 6/9/99 -0700, someone using John Nanas's login wrote:
>Hi all-
>
>Quick question, and I'll get out of your hair.
>
>Has anyone had any experience with a low cost VPN device that has two
>Ethernet interfaces?  Some of our end offices are dying to go with alternate
>connectivity types such as DSL and cable modem, but I'd like to keep the
>solution the same between all offices (which is impossible to do, since it
>seems that every service provider seems to have his or her own
>router/modem).
>
>I figured I could get a VPN router, with two Ethernet interfaces, and put it
>before the provider's modem in order to put the encryption into place (I'd
>prefer IPSec).  I was looking at a Cisco 1720, but it doesn't offer two
>Ethernet interfaces.  I was also looking into Cisco's 2624, but the
>encryption speed is very slow (I'd never get a full T out of it - right now
>they're spec'ing out 256 kb at 3-DES).
>
>Anyone have any suggestions or good experiences they could share?
>
>Thanks,
>John Nanas
>Network Systems Engineer
>The Princeton Review
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties.  If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************

    - jean -

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From jbosh at purdue.edu  Fri Jun 11 15:18:03 1999
From: jbosh at purdue.edu (John D. Boshears)
Date: Fri, 11 Jun 1999 14:18:03 -0500 (EST)
Subject: VPN Question...
Message-ID: <Pine.SOL.3.96.990611141733.20492A-100000@herald.cc.purdue.edu>

A question for all the VPN experts who might bestow a bit of their
knowledge to me, a extreme novice in the field of networking...

I have a small LAN running here in the office, with an NT4 Server posing
as our gateway to the internet, and that machine serves up our web content
and acts as our primary file server.  Now we also have a second NT4 Server
sitting behing the gateway on our LAN, and we want to set that machine up
to be our VPN server.  It has a valid Internet IP address, and responds to
pings.  Microsoft RAS installed flawlessly, as well as the PPTP protocol.
However the client fails at all attempts to connect.  Is there something
I'm doing that I shouldn't be?

Thanks,
John Boshears


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From gfullerton at talisman-energy.com  Fri Jun 11 16:36:48 1999
From: gfullerton at talisman-energy.com (Fullerton, Glenn)
Date: Fri, 11 Jun 1999 14:36:48 -0600
Subject: Ipass
Message-ID: <DF7E4441E178D1119C1E0000F86AF53602CACE4A@APPSRV1>

We are looking at using Ipass for our international users.  Thsi allows
internet access from a local isp no matter where you are in the world.  has
anybody used this before .. any comments/pros/cons ... so far from what I
can tell it looks very good.

We will use this for a internet connection and then run our Vpn across it.

Glenn

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From dgoldsmi at erols.com  Fri Jun 11 15:24:49 1999
From: dgoldsmi at erols.com (David Goldsmith)
Date: Fri, 11 Jun 1999 15:24:49 -0400
Subject: Alternate connectivity VPN..
Message-ID: <01ab01beb440$136008c0$471256a4@pc6m36.adm.intelsat.int>

Another vendor to look at is TimeStep. (www.timestep.com) They just came out
with a SOHO low-end model of their Permit/Gate device - the 1520 model.

R/S

Dave Goldsmith
dgoldsmi at erols.com

-----Original Message-----
From: Jean Chouanard <chouanard at parc.xerox.com>
To: John Nanas <JohnN at review.com>
Cc: vpn at listserv.secnetgroup.com <vpn at listserv.secnetgroup.com>
Date: Friday, June 11, 1999 2:25 PM
Subject: Re: Alternate connectivity VPN..


>you may want to have a look on the RedCreek products.
>www.redcreek.com
>
>At 06:50 AM 6/9/99 -0700, someone using John Nanas's login wrote:
>>Hi all-
>>
>>Quick question, and I'll get out of your hair.
>>
>>Has anyone had any experience with a low cost VPN device that has two
>>Ethernet interfaces?  Some of our end offices are dying to go with
alternate
>>connectivity types such as DSL and cable modem, but I'd like to keep the
>>solution the same between all offices (which is impossible to do, since it
>>seems that every service provider seems to have his or her own
>>router/modem).
>>
>>I figured I could get a VPN router, with two Ethernet interfaces, and put
it
>>before the provider's modem in order to put the encryption into place (I'd
>>prefer IPSec).  I was looking at a Cisco 1720, but it doesn't offer two
>>Ethernet interfaces.  I was also looking into Cisco's 2624, but the
>>encryption speed is very slow (I'd never get a full T out of it - right
now
>>they're spec'ing out 256 kb at 3-DES).
>>
>>Anyone have any suggestions or good experiences they could share?
>>
>>Thanks,
>>John Nanas
>>Network Systems Engineer
>>The Princeton Review
>>
>>****************************************************************
>>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>>
>>The VPN FAQ (under construction) is available at
>>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>>
>>We are currently experiencing "unsubscribe" difficulties.  If you
>>wish to unsubscribe, please send a message containing the single line
>>"unsubscribe vpn your-e-mail-address" to
owner-vpn at listserv.secnetgroup.com
>>
>>****************************************************************
>
>    - jean -
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties.  If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From cvolta at compatible.com  Fri Jun 11 17:50:10 1999
From: cvolta at compatible.com (Chris Volta)
Date: Fri, 11 Jun 1999 15:50:10 -0600
Subject: IPSec/G3 Powerbook
Message-ID: <v01540b13b38733bb3297@[198.41.8.25]>

Hi Christopher,

Compatible Systems offers IntraPort VPN servers that include free client
software for Macintosh computers.  Check out www.compatible.com

Please note an IntraPort VPN Server is required for a VPN connection with
our client software.  You will not be able to use our clients to connect
directly to Cisco VPN products you may be using now.

Apple Computer selected our IntraPort VPN Servers for their own use
corporate-wide, so I am confident you will also be pleased with this
solution.

Best Regards,

Chris

>Hi VPNers
>
>Found your website whilst searching for info. on VPNs. I'm a graphic
>designer who has recently helped set up a VPN in my office with Cisco
>Systems. We now want remote access, but the Cisco engineers don't know
>whether IPSec software is available for a new Apple G3 Powerbook with
>Mac O.S 8.1
>
>Any help would be greatly appreciated.
>
>Thanks
>
>Chris
>
>Christopher Swallow
>WWW.Designer
>Momentum Design Pte Ltd
>103 Beach Road
>Premier Centre #04-02
>Singapore 189704
>
>Tel: 334 3456
>Fax: 339 0009
>
>www.momentum.com.sg



Chris Volta
Channel Sales Manager
Compatible Systems
4730 Walnut Street
Boulder, CO  80301

Toll Free (800) 356-0283
Direct  (303) 381-2872
Fax     (303) 444-9595
http://www.compatible.com
cvolta at compatible.com



****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From mmedwid at symantec.com  Fri Jun 11 20:37:14 1999
From: mmedwid at symantec.com (Michael Medwid)
Date: Fri, 11 Jun 1999 17:37:14 -0700
Subject: Ipass
Message-ID: <8825678E.000449BA.00@notes.symantec.com>



As an add-on question - has anyone on the mailing list used Pilot
(http://www.pilot.net)
in conjunction with IPass for a fully outsourced/managed VPN solution?   At they
time they came in I was too busy to follow the sales routine to its conclusion
(still am
actually.)  But I'm curious to hear about cost and performance experiences as it
is
a different means of approaching the VPN equation.

Thanks.

Michael




"Fullerton, Glenn" <gfullerton at talisman-energy.com> on 06/11/99 01:36:48 PM



From dbovee at inetsec.com  Fri Jun 11 21:17:09 1999
From: dbovee at inetsec.com (David Bovee)
Date: Fri, 11 Jun 1999 18:17:09 -0700
Subject: Ipass
In-Reply-To: <DF7E4441E178D1119C1E0000F86AF53602CACE4A@APPSRV1>
Message-ID: <60852b7e36b4c61a4fe4d5e8b60bf4fe3761b3fd@inetsec.com>

iPass is a quality service. The only problems you may run into are discrete
from those of a service such as iPass. One thing that you may really
appreciate from use of their model that is not (easily) available in most
other dial implementations is a detailed accounting of usage by user.

You should expect some degree of difficulty operating VPNs from
International locations due to network latencies. Your best bet will be to
do some internal testing (if possible) and find the best connection points
abroad, then remove high-latency network endpoints from your corporate
phonebook file prior to distribution to the general user community. This can
be easier said than done because testing *should* be done FROM the remote
location. One way to do this is roll out that particular service in a
piecewise format, using some advanced beta users who can map some data for
you, such as:

endpoint used (correlates with a telephone number in the phonebook)
connection speed
empirical performance (you could ask them to rate on a scale from 1 to 5)


However, I do recommend AGAINST allowing those user to dial directly (using
RAS or other) because the performance may be better, which could spoil them
into thinking that is a viable (and cost effective) access method for
surfing the intranet..

Good luck,
-David

> -----Original Message-----
> From: owner-vpn at listserv.secnetgroup.com
> [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Fullerton, Glenn
> Sent: Friday, June 11, 1999 1:37 PM
> To: 'vpn at listserv.secnetgroup.com'
> Subject: Ipass
>
>
> We are looking at using Ipass for our international users.  Thsi allows
> internet access from a local isp no matter where you are in the
> world.  has
> anybody used this before .. any comments/pros/cons ... so far from what I
> can tell it looks very good.
>
> We will use this for a internet connection and then run our Vpn across it.
>
> Glenn
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
> owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From dbovee at inetsec.com  Fri Jun 11 21:27:15 1999
From: dbovee at inetsec.com (David Bovee)
Date: Fri, 11 Jun 1999 18:27:15 -0700
Subject: VPN Question...
In-Reply-To: <Pine.SOL.3.96.990611141733.20492A-100000@herald.cc.purdue.edu>
Message-ID: <7e2839f812431915d8b7d78381c088553761b656@inetsec.com>

John,

	I suggest that you will have problems with that model, from a security
perspective. However, if you wish to continue your implementation, you must
ensure that the gateway (the first NT4 box mentioned in your scenario) is
allowing packets of the following type through to the proposed PPTP
endpoint:

IP Type 47 (GRE)
TCP destination port 1723 (on the PPTP tunnel server)


	I do, however, recommend that you consider something more like this:

INET-----|-------|------------LAN Workstations
         |       |
         |       --NT file server, DHCP server, etc.
         |
      INET gateway and VPN server


This model uses no additional boxes than you have currently allocated, but
importantly moves your private data files to a server that is exclusively
internal. This gives you the ability to use proxy server and/or other
filtering devices on the NT4 gateway providing your Internet connectivity.
Also, unless you're using a WAN Card in your NT4 box, I suggest that you
implement basic, anti-spoof packet filters on your Internet router.

Good luck,
David Bovee

> -----Original Message-----
> From: owner-vpn at listserv.secnetgroup.com
> [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of John D. Boshears
> Sent: Friday, June 11, 1999 12:18 PM
> To: vpn at listserv.secnetgroup.com
> Subject: VPN Question...
>
>
> A question for all the VPN experts who might bestow a bit of their
> knowledge to me, a extreme novice in the field of networking...
>
> I have a small LAN running here in the office, with an NT4 Server posing
> as our gateway to the internet, and that machine serves up our web content
> and acts as our primary file server.  Now we also have a second NT4 Server
> sitting behing the gateway on our LAN, and we want to set that machine up
> to be our VPN server.  It has a valid Internet IP address, and responds to
> pings.  Microsoft RAS installed flawlessly, as well as the PPTP protocol.
> However the client fails at all attempts to connect.  Is there something
> I'm doing that I shouldn't be?
>
> Thanks,
> John Boshears
>
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
> owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From dbovee at inetsec.com  Sat Jun 12 00:28:48 1999
From: dbovee at inetsec.com (David Bovee)
Date: Fri, 11 Jun 1999 21:28:48 -0700
Subject: Ipass
In-Reply-To: <8825678E.000449BA.00@notes.symantec.com>
Message-ID: <3ccb338d2e6228253709eafc78940dcc3761e1eb@inetsec.com>

Michael,

	I have seen some Pilot proposals for services, but have no first hand
experience with the quality they may (not) deliver.

	I can say that in my experience, pilot charges a handful for services that
are purportedly available from competitors at lower costs. However, if they
really go above and beyond, they may be able to differentiate themselves.

	As I said in my original response regarding iPass, the real issue that
tends to cause performance problems with using remote user VPN will be the
latency. Therefore, if Pilot has massive Internet egress and the iPass
endpoint you use happens to also have massive egress and be routed to Pilot
via a close backbone entry/exit, then you might be looking at extremely low
latencies and thus excellent performance potential.
		In my traces to Pilot (from Seattle), I'm getting a 47 ms RTT which is
quite respectable. The spike is latency for my route seems to occur much
closer to my side than theirs, indicating that they must have fairly decent
transit to/from Verio or one of its private peers...

	In summary, I understand most of Pilot's services to be completely
outsourced (or completely managed, however you word this). This has certain
advantages and disadvantages. However, I don't think that your VPN
performance will be greatly affected by this alone. Rather, the decision to
go with a company like Pilot should rest with your trust in their ability to
competently manage your networking and their prices. It is actually a
benefit that they recommend iPass because the alternative could be a single
800 number that they manage (having less redundancy and higher cost) or a
single-source provider (such as Compuserve/AOL dial which again offers you,
the consumer, fewer options).

	If I understood your question, hopefully this helps a bit..
-David Bovee

> -----Original Message-----
> From: owner-vpn at listserv.secnetgroup.com
> [mailto:owner-vpn at listserv.secnetgroup.com]On Behalf Of Michael Medwid
> Sent: Friday, June 11, 1999 5:37 PM
> To: Fullerton, Glenn
> Cc: 'vpn at listserv.secnetgroup.com'
> Subject: Re: Ipass
>
>
>
>
> As an add-on question - has anyone on the mailing list used Pilot
> (http://www.pilot.net)
> in conjunction with IPass for a fully outsourced/managed VPN
> solution?   At they
> time they came in I was too busy to follow the sales routine to
> its conclusion
> (still am
> actually.)  But I'm curious to hear about cost and performance
> experiences as it
> is
> a different means of approaching the VPN equation.
>
> Thanks.
>
> Michael
>
>
>
>
> "Fullerton, Glenn" <gfullerton at talisman-energy.com> on 06/11/99
> 01:36:48 PM
>
>
> To:   "'vpn at listserv.secnetgroup.com'" <vpn at listserv.secnetgroup.com>
> cc:    (bcc: Michael Medwid/Cupertino/Cal/SYMANTEC)
> Subject:  Ipass
>
>
>
>
> We are looking at using Ipass for our international users.  Thsi allows
> internet access from a local isp no matter where you are in the
> world.  has
> anybody used this before .. any comments/pros/cons ... so far from what I
> can tell it looks very good.
>
> We will use this for a internet connection and then run our Vpn across it.
>
> Glenn
>
>
>
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
> owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From rgm at icsa.net  Sun Jun 13 00:37:30 1999
From: rgm at icsa.net (Robert Moskowitz)
Date: Sun, 13 Jun 1999 00:37:30 -0400
Subject: IPSec/G3 Powerbook
In-Reply-To: <v01540b13b38733bb3297@[198.41.8.25]>
Message-ID: <4.1.19990613003407.00aca9b0@homebase.htt-consult.com>

At 03:50 PM 6/11/99 -0600, Chris Volta wrote:
>
>Please note an IntraPort VPN Server is required for a VPN connection with
>our client software.  You will not be able to use our clients to connect
>directly to Cisco VPN products you may be using now.
>
Timestep does work with Cisco's IOS in numerous tests.

Certificate usage for both (IKE Main Mode RSA sig) does work, but getting
certificates into the units can be challenging.  Timestep works with
Entrust.  Cisco has their own CEP (that they are getting rolled into CMC,
Entrust is early CMP.  Don't you love standards).



Robert Moskowitz
ICSA, Inc.
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished 
if it doesn't matter who gets the credit


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From Barry.Schon at hbfuller.com  Mon Jun 14 09:28:47 1999
From: Barry.Schon at hbfuller.com (Barry Schon)
Date: Mon, 14 Jun 1999 08:28:47 -0500
Subject: Ipass
Message-ID: <s764bd54.000@hbfuller.com>

>>>> "Fullerton, Glenn" <gfullerton at talisman-energy.com> 06/11 3:36 PM >>>
>We are looking at using Ipass for our international users.  Thsi allows
>internet access from a local isp no matter where you are in the world.  has
>anybody used this before .. any comments/pros/cons ... so far from what I
>can tell it looks very good.
>
>We will use this for a internet connection and then run our Vpn across it.
>
>Glenn

We will be looking at iPass as well, although are not at the stage where we are ready to do any testing.  iPass has an interesting service, and for us, since we have so many global locations from which users will be dialing in via VPNs, it is probably the best solution for us (at least in Asia and Latin America).  For the North America and Europe, we're almost ready to sign with UUNet for the dial-up services (UUdial), since we can maintain a lower latency if we go with a provider with a good backbone like UUNet.  UUnet's POPs are also accessible via iPass roaming services, so where we are using the Contivity Extranet Client to access iPass services, the UUnet POPs will be preferred and only where they are not available will users use other ISPs' POPs.  Also, we will be looking at keeping an iPass Roaming Server centrally for maintaining ISP accounts.  An iPass roaming server is the server from which users are authenticated when connecting to a POP of another ISP (other than t!
he user's home ISP). Like I said, we are still doing our research and plan on meeting with iPass soon.  I'd be happy to share our experiences after we experiment a bit.

Regards,
-Barry

Barry Schon
Network Analyst
Corporate IT - Network Services/WAN
H.B. Fuller Company
1275 Grey Fox Rd.
Arden Hills, MN, USA 55112

barry.schon at hbfuller.com
Ph: +1 (651) 236-4114
Fax: +1 (651) 236-4444

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From johnl at microware.com  Mon Jun 14 22:44:13 1999
From: johnl at microware.com (John Lengeling)
Date: Mon, 14 Jun 1999 21:44:13 -0500
Subject: Ipass
References: <DF7E4441E178D1119C1E0000F86AF53602CACE4A@APPSRV1>
Message-ID: <3765BDFD.5B585DFC@microware.com>



"Fullerton, Glenn" wrote:
> 
> We are looking at using Ipass for our international users.  Thsi allows
> internet access from a local isp no matter where you are in the world.  has
> anybody used this before .. any comments/pros/cons ... so far from what I
> can tell it looks very good.
> 
> We will use this for a internet connection and then run our Vpn across it.

We use Ipass and really like their service.  We were using UUNET but
favor Ipass because:

- it has more pops in more countries
- it has a Connection manager for ease of use.  UUNET just gives you a
list of phone numbers.
- it has a flat rate ($20/mo) and a measured rate service plan.  Ideal
for occasional travelers.
- detailed bills.

We use it with V-ONE SmartGate with out any major problems in UK,
Germany, HK, Japan, Australia.  The only problem that we have with Ipass
is in China.  We connect to the ISP and can access standard ports (HTTP,
FTP, etc) but our VPN doesn't work.  We think it might be because of
port filtering by the Chinese government.

johnl

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From rico at maco.net  Tue Jun 15 09:17:12 1999
From: rico at maco.net (David)
Date: Tue, 15 Jun 1999 09:17:12 -0400
Subject: OS/2 client
Message-ID: <000701beb731$64dc9210$1328d8ce@davidg.prosolutionsinc.com>

Is anyone aware of a IPSec client for OS/2? Please email me at: david at prosolutionsinc.com if you have any info. Thanks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/19990615/60becbdf/attachment.htm 

From philipp at buehler.de  Thu Jun 17 04:24:30 1999
From: philipp at buehler.de (Philipp Buehler)
Date: Thu, 17 Jun 1999 10:24:30 +0200
Subject: OS/2 client
In-Reply-To: <000701beb731$64dc9210$1328d8ce@davidg.prosolutionsinc.com>; "David" on 15.06.1999 @ 15:17:12 MEST
References: <000701beb731$64dc9210$1328d8ce@davidg.prosolutionsinc.com>
Message-ID: <19990617102430.A27735@taubenschlag.ttt.de>

David wrote To vpn at listserv.secnetgroup.com:
> Is anyone aware of a IPSec client for OS/2? Please email me at: david at prosolutionsinc.com if you have any info. Thanks.

OS/2's TCP/IP 4.[12] has builtin IPsec.

--- End of mail from David ---
ciao
-- 
Philipp Buehler <pb at OS2.org>
                         OS/2 - do not miss it.
Administration/Owner of http://www.OS2.org/ ; http://www.OS-2.de/

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From linkview at cyberway.com.sg  Fri Jun 18 22:43:58 1999
From: linkview at cyberway.com.sg (LinkView)
Date: Sat, 19 Jun 1999 10:43:58 +0800
Subject: Ipass
Message-ID: <01BEBA40.A39CFB40.linkview@cyberway.com.sg>

I suspect this is due to the ISP that iPass is connecting to. It worked well for me using GRIC in China and many other countries.

We're using V-ONE SmartGate for our VPN.

LinkView


-----Original Message-----
From:	John Lengeling [SMTP:johnl at microware.com]
Sent:	Tuesday, June 15, 1999 10:44 AM
To:	Fullerton, Glenn
Cc:	'vpn at listserv.secnetgroup.com'
Subject:	Re: Ipass

"Fullerton, Glenn" wrote:
> 
> We are looking at using Ipass for our international users.  Thsi allows
> internet access from a local isp no matter where you are in the world.  has
> anybody used this before .. any comments/pros/cons ... so far from what I
> can tell it looks very good.
> 
> We will use this for a internet connection and then run our Vpn across it.

We use Ipass and really like their service.  We were using UUNET but
favor Ipass because:

- it has more pops in more countries
- it has a Connection manager for ease of use.  UUNET just gives you a
list of phone numbers.
- it has a flat rate ($20/mo) and a measured rate service plan.  Ideal
for occasional travelers.
- detailed bills.

We use it with V-ONE SmartGate with out any major problems in UK,
Germany, HK, Japan, Australia.  The only problem that we have with Ipass
is in China.  We connect to the ISP and can access standard ports (HTTP,
FTP, etc) but our VPN doesn't work.  We think it might be because of
port filtering by the Chinese government.

johnl

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************^@^@

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From thaddeus at forzaroma.com  Mon Jun 21 09:55:35 1999
From: thaddeus at forzaroma.com (thaddeus at forzaroma.com)
Date: 21 Jun 1999 06:55:35 -0700
Subject: VPN evaluation matrix
Message-ID: <19990621135535.4747.cpmta@c004.sfo.cp.net>

An embedded and charset-unspecified text was scrubbed...
Name: not available
Url: http://lists.shmoo.com/pipermail/vpn/attachments/19990621/cba1e748/attachment.txt 

From sbrown at cw.net  Mon Jun 21 09:33:44 1999
From: sbrown at cw.net (Steve Brown)
Date: Mon, 21 Jun 1999 09:33:44 -0400
Subject: VPN Question
Message-ID: <000001bebbea$aed21ee0$2d41189f@sbrown.cary.mci.net>


 Hello -

    I was wondering if anyone had any thoughts on
  VPNs Security & Performance.

    Usually when talking to my customers, I find that QoS
  and Security are on two opposite side's of the fence. Vendors sell
  QoS one way, and unfortunately customers always seem to understand
  QoS another way (similiar to bandwidth application management).

    A lot of my projects have included intrusion detection, filtering,
  logging and content vectoring protocol which impact's QoS (the QoS that
  that the customer hears, or at least wants to hear),,so I was
  wondering can VPNs really scale when we keep implying security to the
  communications stream.

    I've already come across delays, time-outs, etc when adding additional
  security features. I think that depending on the topology and architecture
  in place at a customers network, we can improve the relationship between
  QoS and Security, and hopefully VPNs will scale,,


Steven A. Brown
VPN/Firewall & Internet Security Engineer
Cable&Wireless, 6400 Weston Pkwy, 3rd. FL
Research Triangle Park, NC, 27513
Author:Implementing Virtual Private Networks, McGraw-Hill
CoAuthor:CheckPoint Firewall-1, McGraw-Hill
sbrown at cw.net

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From Ryan.Russell at sybase.com  Mon Jun 21 15:19:41 1999
From: Ryan.Russell at sybase.com (Ryan Russell)
Date: Mon, 21 Jun 1999 12:19:41 -0700
Subject: VPN Question
Message-ID: <88256797.006A32E8.00@gwwest.sybase.com>




>    Usually when talking to my customers, I find that QoS
>  and Security are on two opposite side's of the fence. Vendors sell
>  QoS one way, and unfortunately customers always seem to understand
>  QoS another way (similiar to bandwidth application management).

Most of this is due to widely different interpretations of
the term QoS, as well as differences in what people want
vs. what vendors offer.  The is a security interaction, though..

>    A lot of my projects have included intrusion detection, filtering,
>  logging and content vectoring protocol which impact's QoS (the QoS that
>  that the customer hears, or at least wants to hear),,so I was
>  wondering can VPNs really scale when we keep implying security to the
>  communications stream.

It depends on how your QoS scheme works.  Some of them work by
making their own changes to various headers.  Others make changes by
informing routers along the route, and make no header changes.  Still
others (WFQ) have things essentially hard-coded by port number.
Either of the latter 2 options should be security-compatible.  The first
may alos be, depending on how much of the headers are validated.

>    I've already come across delays, time-outs, etc when adding additional
>  security features. I think that depending on the topology and architecture
>  in place at a customers network, we can improve the relationship between
>  QoS and Security, and hopefully VPNs will scale,,

The biggest problem is ISP diversity.  You can probably come to a
QoS agreement with a single (or even a few) ISP(s).  This gives you
the ability to specify what you need.  If your users are like mine, though,
you won't have the ability to specify which ISP they use in all cases.

I'm dealing with this problem via agreements with a main ISP, where
I get to specify a number of performance-related things in my contract.
They have good coverage, but it's for dial-up only.  In other cases,
users are opting for their own dial-up, in which case quality doesn't
concern me that much, since they have an "official" dial-up
solution which should work for them.  Still others have opted for
something faster, like DSL or cable modem.  The majority of the
time, those are so much faster that performance isn't an issue,
and when there are problems, they like the speed so much,
they just put up with it.

                         Ryan




****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From johnl at microware.com  Mon Jun 21 15:10:47 1999
From: johnl at microware.com (John Lengeling)
Date: Mon, 21 Jun 1999 14:10:47 -0500
Subject: Ipass
References: <01BEBA40.A39CFB40.linkview@cyberway.com.sg>
Message-ID: <376E8E37.F1E0FB49@microware.com>



LinkView wrote:
> 
> I suspect this is due to the ISP that iPass is connecting to. It worked well for me using GRIC in China and many other countries.
> 

I was wasn't sure if it was a problem with the ISP in China or some sort
of filtering by the government.  I just assumed the government since I
kept reading stories about government monitoring of Internet access and
censorship of the media.  He hasn't had any other problems in the Far
East using Ipass and SmartPass.

Next time he is in China, I will have him try the other Ipass numbers.

As soon as he called an Ipass connection in HK, everything worked just
fine.

johnl

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From jayw at tecsec.com  Mon Jun 21 15:10:38 1999
From: jayw at tecsec.com (Jay Wack)
Date: Mon, 21 Jun 1999 15:10:38 -0400
Subject: VPN Question
Message-ID: <91DCC8C4B999D111B5580060977E2DDE10DC28@SOL>

We have been working with the DOD for the past 8 years....it has been our
experience that most of the efforts to date work well within a given
enclave.  The problems start when, in the effort to scale, more and diverse
connections are made....so far, no one has managed to get a significant,
complex network up and working using the VPN approach....

What has worked is the encryption of information at the object level, using
role-based access control attributes, embedded in the object, and
adjudicated at the client.   What you get is control of who talks to whom,
about what information, on what device.

Good luck with your efforts.

Jay Wack
TECSEC


> -----Original Message-----
> From:	Steve Brown [SMTP:sbrown at cw.net]
> Sent:	Monday, June 21, 1999 9:34 AM
> To:	Vpn
> Subject:	VPN Question
> 
> 
>  Hello -
> 
>     I was wondering if anyone had any thoughts on
>   VPNs Security & Performance.
> 
>     Usually when talking to my customers, I find that QoS
>   and Security are on two opposite side's of the fence. Vendors sell
>   QoS one way, and unfortunately customers always seem to understand
>   QoS another way (similiar to bandwidth application management).
> 
>     A lot of my projects have included intrusion detection, filtering,
>   logging and content vectoring protocol which impact's QoS (the QoS that
>   that the customer hears, or at least wants to hear),,so I was
>   wondering can VPNs really scale when we keep implying security to the
>   communications stream.
> 
>     I've already come across delays, time-outs, etc when adding additional
>   security features. I think that depending on the topology and
> architecture
>   in place at a customers network, we can improve the relationship between
>   QoS and Security, and hopefully VPNs will scale,,
> 
> 
> Steven A. Brown
> VPN/Firewall & Internet Security Engineer
> Cable&Wireless, 6400 Weston Pkwy, 3rd. FL
> Research Triangle Park, NC, 27513
> Author:Implementing Virtual Private Networks, McGraw-Hill
> CoAuthor:CheckPoint Firewall-1, McGraw-Hill
> sbrown at cw.net
> 
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
> 
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
> 
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
> owner-vpn at listserv.secnetgroup.com
> 
> ****************************************************************

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From sbrown at cw.net  Mon Jun 21 15:38:57 1999
From: sbrown at cw.net (Steve Brown)
Date: Mon, 21 Jun 1999 15:38:57 -0400
Subject: VPN Question
In-Reply-To: <91DCC8C4B999D111B5580060977E2DDE10DC28@SOL>
Message-ID: <000001bebc1d$b3ff9ea0$2d41189f@sbrown.cary.mci.net>


 Hi Jay,

   What we have been seeing is the same exact thing, where we get into
 trouble when we start to scale, working within a given set of
 attributes works fine, but once modifying the initial set of parameters
 we give up some QoS for conditions of security,,i.e., making it flexible,
 and we fall back to individual client authentication & encryption

   Unfortunately as VPNs continue to grow, and customers demand QoS,
 will there be a standard that will allow both to work together,

Thanks


Steven A. Brown
VPN/Firewall & Internet Security Engineer
Cable&Wireless, 6400 Weston Pkwy, 3rd. FL
Research Triangle Park, NC, 27513
Author:Implementing Virtual Private Networks, McGraw-Hill
CoAuthor:CheckPoint Firewall-1, McGraw-Hill
sbrown at cw.net


> -----Original Message-----
> From: Jay Wack [mailto:jayw at TECSEC.com]
> Sent: Monday, June 21, 1999 3:11 PM
> To: Steve Brown; Vpn
> Subject: RE: VPN Question
>
>
> We have been working with the DOD for the past 8 years....it has been our
> experience that most of the efforts to date work well within a given
> enclave.  The problems start when, in the effort to scale, more
> and diverse
> connections are made....so far, no one has managed to get a significant,
> complex network up and working using the VPN approach....
>
> What has worked is the encryption of information at the object
> level, using
> role-based access control attributes, embedded in the object, and
> adjudicated at the client.   What you get is control of who talks to whom,
> about what information, on what device.
>
> Good luck with your efforts.
>
> Jay Wack
> TECSEC
>
>
> > -----Original Message-----
> > From:	Steve Brown [SMTP:sbrown at cw.net]
> > Sent:	Monday, June 21, 1999 9:34 AM
> > To:	Vpn
> > Subject:	VPN Question
> >
> >
> >  Hello -
> >
> >     I was wondering if anyone had any thoughts on
> >   VPNs Security & Performance.
> >
> >     Usually when talking to my customers, I find that QoS
> >   and Security are on two opposite side's of the fence. Vendors sell
> >   QoS one way, and unfortunately customers always seem to understand
> >   QoS another way (similiar to bandwidth application management).
> >
> >     A lot of my projects have included intrusion detection, filtering,
> >   logging and content vectoring protocol which impact's QoS
> (the QoS that
> >   that the customer hears, or at least wants to hear),,so I was
> >   wondering can VPNs really scale when we keep implying security to the
> >   communications stream.
> >
> >     I've already come across delays, time-outs, etc when adding
> additional
> >   security features. I think that depending on the topology and
> > architecture
> >   in place at a customers network, we can improve the
> relationship between
> >   QoS and Security, and hopefully VPNs will scale,,
> >
> >
> > Steven A. Brown
> > VPN/Firewall & Internet Security Engineer
> > Cable&Wireless, 6400 Weston Pkwy, 3rd. FL
> > Research Triangle Park, NC, 27513
> > Author:Implementing Virtual Private Networks, McGraw-Hill
> > CoAuthor:CheckPoint Firewall-1, McGraw-Hill
> > sbrown at cw.net
> >
> > ****************************************************************
> > TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
> >
> > The VPN FAQ (under construction) is available at
> > http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
> >
> > We are currently experiencing "unsubscribe" difficulties.  If you
> > wish to unsubscribe, please send a message containing the single line
> > "unsubscribe vpn your-e-mail-address" to
> > owner-vpn at listserv.secnetgroup.com
> >
> > ****************************************************************
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From jsdy at cospo.osis.gov  Mon Jun 21 17:53:16 1999
From: jsdy at cospo.osis.gov (Joseph S D Yao)
Date: Mon, 21 Jun 1999 17:53:16 -0400 (EDT)
Subject: VPN Question
In-Reply-To: <91DCC8C4B999D111B5580060977E2DDE10DC28@SOL> from "Jay Wack" at Jun 21, 99 03:10:38 pm
Message-ID: <199906212153.RAA27190@fw1.osis.gov>

> We have been working with the DOD for the past 8 years....it has been our
> experience that most of the efforts to date work well within a given
> enclave.  The problems start when, in the effort to scale, more and diverse
> connections are made....so far, no one has managed to get a significant,
> complex network up and working using the VPN approach....

Curious statement.  I work with a VPN among a number of different USG
agencies and groups, including some DOD and some civilian.  It's been
running for about 4 years now, and has about 40 different agencies and
groups on-line on the VPN [plus dial-ins from others].

I'm afraid that I can't give a lot more details.

We've tried to add in tunneling from a desktop [what a lot of people
are calling "VPN" these days].  As I'd mentioned before, few products
met all of our requirements.

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
      This message is not an official statement of COSPO policies.

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From Ryan.Russell at sybase.com  Tue Jun 22 14:31:38 1999
From: Ryan.Russell at sybase.com (Ryan Russell)
Date: Tue, 22 Jun 1999 11:31:38 -0700
Subject: VPN Question
Message-ID: <88256798.0065CFC2.00@gwwest.sybase.com>




>At 12:19 PM 6/21/99 -0700, Ryan Russell wrote:
>>
>>
>>It depends on how your QoS scheme works.  Some of them work by
>>making their own changes to various headers.  Others make changes by
>>informing routers along the route, and make no header changes.  Still
>>others (WFQ) have things essentially hard-coded by port number.
>>Either of the latter 2 options should be security-compatible.  The first
>>may alos be, depending on how much of the headers are validated.
>>

>But all of these need information from the datagrams.  Good security hides
>everything but routing information.  ERGO....

It depends completely on where you do your encryption.  The VPN I use
only encrypts layer 4 payload.  It doesn't particularly matter (so I believe)
if someone plays games with the headers.. if the payload doesn't decrypt
properly.  (It's Infoexpress' VTP/Secure).

In my case, if I were able to get my ISP(s) to favor traffic destined for
port 11160, I'd be in good shape.

                    Ryan


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From rgm at icsa.net  Tue Jun 22 14:20:14 1999
From: rgm at icsa.net (Robert Moskowitz)
Date: Tue, 22 Jun 1999 14:20:14 -0400
Subject: VPN Question
In-Reply-To: <000001bebc1d$b3ff9ea0$2d41189f@sbrown.cary.mci.net>
References: <91DCC8C4B999D111B5580060977E2DDE10DC28@SOL>
Message-ID: <4.1.19990622141455.00afb220@homebase.htt-consult.com>

At 03:38 PM 6/21/99 -0400, Steve Brown wrote:
>
>   Unfortunately as VPNs continue to grow, and customers demand QoS,
> will there be a standard that will allow both to work together,

Unfortunately NOT right now.  Some of the QoS methodologies are potential
denial of service attacks..  Or to expose enough data content for QoS can
result in security risks.

At the Minneapolis IETF, we had a bit of a knock down drag out on this.
Steve Bellovin made a heroic attempt at QoS friendly ESP.  Not only did
Steve Kent attack it, but Steve Deering abandoned his typical
Transport/Network roots to in joining Kent.

We called that session the Steve Hour  :)

ECN for congestion relief is likely to get an experimental IPsec
intergrated mode.  Bellovin helped Black and Floyd develop it and Kent was
basically sangine.

Sigh.  Crypto brains   ;)



Robert Moskowitz
ICSA, Inc.
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished 
if it doesn't matter who gets the credit


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From rgm at icsa.net  Tue Jun 22 14:24:23 1999
From: rgm at icsa.net (Robert Moskowitz)
Date: Tue, 22 Jun 1999 14:24:23 -0400
Subject: VPN Question
In-Reply-To: <88256797.006A32E8.00@gwwest.sybase.com>
Message-ID: <4.1.19990622142116.00aaea70@homebase.htt-consult.com>

At 12:19 PM 6/21/99 -0700, Ryan Russell wrote:
>
>
>It depends on how your QoS scheme works.  Some of them work by
>making their own changes to various headers.  Others make changes by
>informing routers along the route, and make no header changes.  Still
>others (WFQ) have things essentially hard-coded by port number.
>Either of the latter 2 options should be security-compatible.  The first
>may alos be, depending on how much of the headers are validated.
>
But all of these need information from the datagrams.  Good security hides
everything but routing information.  ERGO....

The most likely to be promogated approach would be to use IP options to
place specific datagram content unprotected for QoS.  Much like ECN's use
of the TOS bits.


Robert Moskowitz
ICSA, Inc.
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished 
if it doesn't matter who gets the credit


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From matthewr at moreton.com.au  Wed Jun 23 03:17:10 1999
From: matthewr at moreton.com.au (Matthew Ramsay)
Date: Wed, 23 Jun 1999 07:17:10 +0000
Subject: PoPToP now with encryption
Message-ID: <377089F6.71A3AEA2@moreton.com.au>

Hiya all,

I just ran PoPToP (the pptp server for linux) with support for MSCHAPv2
and 40 (and 128bit) RC4 Microsoft compatible encryption. (thanks to a
number of people who provided this support in a pppd hack)

I can connect windows 98 clients to my poptop server with data
encryption (haven't tried NT yet).

All of this is free off the net! You can download poptop here:
http://www.moretonbay.com/vpn/pptp.html

I've had a VPN going here using poptop for ages now.. It handles well
under load.. previous discussions theorise poptop handling (with minimal
kernel tweaking) 2048 clients while with more vigourous tweaking 4096
clients.

Cheers,
-matt

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From chayward at livingston.com  Fri Jun 25 10:23:24 1999
From: chayward at livingston.com (Cary Hayward)
Date: Fri, 25 Jun 1999 07:23:24 -0700
Subject: Pros and Cons of L2TP vs. Radius Proxy
Message-ID: <3.0.2.32.19990625072324.00bbccf0@server>

We have many customers that are very confortable using Radius proxy
(similar to what iPass does I believe) to do port wholesaling.  Of late
more SPs like US West are moving to L2TP to deliver this same application.
What are the pros and cons of each enabling technology?
Cary Hayward
Product Manager VPN
Lucent Remote Access
chayward at ra.lucent.com
(925) 737-2297

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From twolsey at realtech.com  Fri Jun 25 10:28:49 1999
From: twolsey at realtech.com (TC Wolsey)
Date: Fri, 25 Jun 1999 10:28:49 -0400
Subject: VPN Question
Message-ID: <s77359f8.072@gwise-in>

>At 12:19 PM 6/21/99 -0700, Ryan Russell wrote:
>>
>>
>>It depends on how your QoS scheme works.  Some of them work by
>>making their own changes to various headers.  Others make changes by
>>informing routers along the route, and make no header changes.  Still
>>others (WFQ) have things essentially hard-coded by port number.
>>Either of the latter 2 options should be security-compatible.  The first
>>may alos be, depending on how much of the headers are validated.
>>
>But all of these need information from the datagrams.  Good security hides
>everything but routing information.  ERGO....
>
>The most likely to be promogated approach would be to use IP options to
>place specific datagram content unprotected for QoS.  Much like ECN's use
>of the TOS bits.
>
>
>Robert Moskowitz
>ICSA, Inc.
>	(248) 968-9809
>Fax:	(248) 968-2824
>rgm at icsa.net 
>
It seems that the use of IP options for classification of traffic for QoS purposes would have some significant deployment constraints. The one that comes to mind first is that most firewall type devices will summarily drop any packet with IP options, and this stance is proabably part of many security policies. Some firewall products have no simple means to change this behavior. Why not the use of the SPI to distinguish traffic flows for QoS? It may require more overhead as SAs are built and torn down, but it puts the job of sorting traffic into QoS flows into the IPSec endpoint devices - which may not be such a bad place for this type of service on a security perimeter.

--tcw

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From rgm at icsa.net  Fri Jun 25 10:29:56 1999
From: rgm at icsa.net (Robert Moskowitz)
Date: Fri, 25 Jun 1999 10:29:56 -0400
Subject: VPN Question
In-Reply-To: <s77359f8.071@gwise-in>
Message-ID: <4.1.19990625102852.00b0fa30@homebase.htt-consult.com>

At 10:28 AM 6/25/99 -0400, TC Wolsey wrote:
>>
>It seems that the use of IP options for classification of traffic for QoS 
>purposes would have some significant deployment constraints. The one that 
>comes to mind first is that most firewall type devices will summarily drop 
>any packet with IP options, and this stance is proabably part of many 
>security policies. Some firewall products have no simple means to change 
>this behavior. Why not the use of the SPI to distinguish traffic flows for 
>QoS? 

Becuase there are security considerations for the SPI being a random number.

Unless it is a constant like with SKIP.

>It may require more overhead as SAs are built and torn down, but it 
>puts the job of sorting traffic into QoS flows into the IPSec endpoint 
>devices - which may not be such a bad place for this type of service on a 
>security perimeter.
>

Robert Moskowitz
ICSA, Inc.
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished 
if it doesn't matter who gets the credit


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From noel at burton-krahn.com  Mon Jun 28 13:33:59 1999
From: noel at burton-krahn.com (Noel Burton-Krahn)
Date: 28 Jun 1999 17:33:59 -0000
Subject: opportunistic routers?
Message-ID: <19990628173359.20026.qmail@burton-krahn.com>


Searching, searching...

I am looking for a router which does opportunistic encryption.  That
is, I want a router that will grab all unencrypted IP traffic and try
to establish an encrypted connection (to another encrypting router) at
its destination automatically without configuration.  Anyone know of
such a thing?

I've been looking at VPN solutions like IPsec, ppp-over-ssh, and
tunnel vision.  All of these have the undesired property that I have
to manually set up each encrypted connection, or use preshared secret
keys between endpoints.  I would like my router to set up encrypted
connections automatically to destinations which support encryption.

This may allow anyone to drop encrypted traffic on my VPN.  That's ok
for me; my firewall can drop unwanted traffic.  I just want anyone to
be able to encrypt IP traffic to me.

If there's nothing out there, I may write something like this myself
(under Linux).  I anyone else working on such a beast?

Thanks for any advice you can give.

--Noel


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From sandy.harris at sympatico.ca  Mon Jun 28 17:48:49 1999
From: sandy.harris at sympatico.ca (Sandy Harris)
Date: Mon, 28 Jun 1999 17:48:49 -0400
Subject: linux-ipsec: opportunistic routers?
References: <19990628173359.20026.qmail@burton-krahn.com>
Message-ID: <3777EDC1.A4012A2B@sympatico.ca>

Noel Burton-Krahn wrote:
> 
> Searching, searching...
> 
> I am looking for a router which does opportunistic encryption.  That
> is, I want a router that will grab all unencrypted IP traffic and try
> to establish an encrypted connection (to another encrypting router) at
> its destination automatically without configuration.  Anyone know of
> such a thing?
> 
> I've been looking at VPN solutions like IPsec, ppp-over-ssh, and
> tunnel vision.  All of these have the undesired property that I have
> to manually set up each encrypted connection, or use preshared secret
> keys between endpoints.  I would like my router to set up encrypted
> connections automatically to destinations which support encryption.
> 
> This may allow anyone to drop encrypted traffic on my VPN.  That's ok
> for me; my firewall can drop unwanted traffic.  I just want anyone to
> be able to encrypt IP traffic to me.
> 
> If there's nothing out there, I may write something like this myself
> (under Linux).  I anyone else working on such a beast?

That's one of the main goals of the Linux FreeS/WAN project.
See project founder's blurb on why we're doing it, either:

http://www.toad.com/swan.html

or the slightly edited version included in our docs:

http://www.xs4all.nl/~freeswan/freeswan_trees/freeswan-1.00/doc/rationale.html

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From rodney at tillerman.nu  Wed Jun 30 19:32:17 1999
From: rodney at tillerman.nu (Rodney Thayer)
Date: Wed, 30 Jun 1999 16:32:17 -0700
Subject: opportunistic routers?
In-Reply-To: <199906302141.RAA05044@fw1-b.osis.gov>
References: <3.0.6.32.19990629164939.03b56290@module-two.rwthayer.com>
Message-ID: <3.0.6.32.19990630163217.03472430@module-two.rwthayer.com>

that is the point of a public key infrastructure, that's how it is
intended to be used.

so, one configures one's device to accept certs signed by some trusted 
third party, a "retail Certificate Authority" if you will, like VeriSign
or GTE, and then you can do it.

At 05:41 PM 6/30/99 -0400, Joseph S D Yao wrote:
>Rodney Thayer replied:
>> not if certificates are used, I think.
>> 
>> At 08:31 PM 6/28/99 -0700, Ryan Russell wrote:
>...
>> >It should be noted that, unless there is a pre-shared piece of information
>> >(doesn't neccessarily have to be secret) ahead of time, the encryption
>> >will be subject to MITM attacks.
>
>Either the certificates are shared ahead of time, or they have to
>establish a common "certifier" who will certify them to each other.
>There has to be some basis of trust pre-established.
>
>--
>Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
>COSPO/OSIS Computer Support					EMT-B
>-----------------------------------------------------------------------
>This message is not an official statement of COSPO policies.
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From rgm at icsa.net  Wed Jun 30 17:29:05 1999
From: rgm at icsa.net (Robert Moskowitz)
Date: Wed, 30 Jun 1999 17:29:05 -0400
Subject: opportunistic routers?
In-Reply-To: <3.0.6.32.19990629164939.03b56290@module-two.rwthayer.com>
References: <8825679F.001369D7.00@gwwest.sybase.com>
Message-ID: <4.1.19990630172614.009f7130@homebase.htt-consult.com>

At 04:49 PM 6/29/99 -0700, Rodney Thayer wrote:
>not if certificates are used, I think.

This is correct.

IKE Main Mode with RSA Sig or DSA Sig is basically immune to MITM attacks.
Of course RSA Encrypt is supposedly completely immune, or so says the IPsec
archives when the vairous auth mode debates occured.

MM with preshared secrets is supposedly open to a MITM that has the
preshared secret.

Note that MM with preshared secret DOES NOT EQUAL IPsec with static keys.
I recently encountered a group that had this interpretation.

>At 08:31 PM 6/28/99 -0700, Ryan Russell wrote:
>>
>>
>>
>>>Searching, searching...
>>>
>>>I am looking for a router which does opportunistic encryption.  That
>>>is, I want a router that will grab all unencrypted IP traffic and try
>>>to establish an encrypted connection (to another encrypting router) at
>>>its destination automatically without configuration.  Anyone know of
>>>such a thing?
>>>
>>>I've been looking at VPN solutions like IPsec, ppp-over-ssh, and
>>>tunnel vision.  All of these have the undesired property that I have
>>>to manually set up each encrypted connection, or use preshared secret
>>>keys between endpoints.  I would like my router to set up encrypted
>>>connections automatically to destinations which support encryption.
>>
>>It should be noted that, unless there is a pre-shared piece of information
>>(doesn't neccessarily have to be secret) ahead of time, the encryption
>>will be subject to MITM attacks.
>>
>>                         Ryan
>>
>>
>>
>>****************************************************************
>>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>>
>>The VPN FAQ (under construction) is available at
>>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>>
>>We are currently experiencing "unsubscribe" difficulties.  If you
>>wish to unsubscribe, please send a message containing the single line
>>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>>
>>****************************************************************
>>
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties.  If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************
Robert Moskowitz
ICSA, Inc.
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished 
if it doesn't matter who gets the credit


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From jsdy at cospo.osis.gov  Wed Jun 30 17:41:57 1999
From: jsdy at cospo.osis.gov (Joseph S D Yao)
Date: Wed, 30 Jun 1999 17:41:57 -0400 (EDT)
Subject: opportunistic routers?
In-Reply-To: <3.0.6.32.19990629164939.03b56290@module-two.rwthayer.com> from "Rodney Thayer" at Jun 29, 99 04:49:39 pm
Message-ID: <199906302141.RAA05044@fw1-b.osis.gov>

Rodney Thayer replied:
> not if certificates are used, I think.
> 
> At 08:31 PM 6/28/99 -0700, Ryan Russell wrote:
...
> >It should be noted that, unless there is a pre-shared piece of information
> >(doesn't neccessarily have to be secret) ahead of time, the encryption
> >will be subject to MITM attacks.

Either the certificates are shared ahead of time, or they have to
establish a common "certifier" who will certify them to each other.
There has to be some basis of trust pre-established.

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From evyncke at cisco.com  Wed Jun 30 12:24:42 1999
From: evyncke at cisco.com (Eric Vyncke)
Date: Wed, 30 Jun 1999 18:24:42 +0200
Subject: opportunistic routers?
In-Reply-To: <19990628173359.20026.qmail@burton-krahn.com>
Message-ID: <4.1.19990630182214.00a35af0@brussels.cisco.com>

Noel,

First have a look at my email address to notice that I'm biased ;-)

Cisco routers will support dynamic configuration of IPSec tunnels
this summer. The only thing you need to be perfectly dynamic (no specific
configuration) is just a X.509 certificate per router to allow
IKE authentication, then the IPSec configuration is dynamic.

Hope this helps and does not sound too sales ;-)

-eric

At 17:33 28/06/1999 +0000, Noel Burton-Krahn wrote:
>
>Searching, searching...
>
>I am looking for a router which does opportunistic encryption.  That
>is, I want a router that will grab all unencrypted IP traffic and try
>to establish an encrypted connection (to another encrypting router) at
>its destination automatically without configuration.  Anyone know of
>such a thing?
>
>I've been looking at VPN solutions like IPsec, ppp-over-ssh, and
>tunnel vision.  All of these have the undesired property that I have
>to manually set up each encrypted connection, or use preshared secret
>keys between endpoints.  I would like my router to set up encrypted
>connections automatically to destinations which support encryption.
>
>This may allow anyone to drop encrypted traffic on my VPN.  That's ok
>for me; my firewall can drop unwanted traffic.  I just want anyone to
>be able to encrypt IP traffic to me.
>
>If there's nothing out there, I may write something like this myself
>(under Linux).  I anyone else working on such a beast?
>
>Thanks for any advice you can give.
>
>--Noel
>
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties.  If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************
Eric Vyncke                        
Consulting Engineer                Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************



From noel at burton-krahn.com  Wed Jun 30 16:29:13 1999
From: noel at burton-krahn.com (Noel Burton-Krahn)
Date: 30 Jun 1999 20:29:13 -0000
Subject: opportunistic routers?
In-Reply-To: <4.1.19990630182214.00a35af0@brussels.cisco.com> (message from
	Eric Vyncke on Wed, 30 Jun 1999 18:24:42 +0200)
References: <4.1.19990630182214.00a35af0@brussels.cisco.com>
Message-ID: <19990630202913.16672.qmail@burton-krahn.com>


That sounds great, Eric.  Does this only work between Cisco routers,
or are there other IPSec implementations which support dynamic
encryption?

Another question: How does this handle packet protocols like UDP?
Some other encrypting solutions wrap UDP in TCP, which increases
latency.

--Noel



> First have a look at my email address to notice that I'm biased ;-)
> 
> Cisco routers will support dynamic configuration of IPSec tunnels
> this summer. The only thing you need to be perfectly dynamic (no specific
> configuration) is just a X.509 certificate per router to allow
> IKE authentication, then the IPSec configuration is dynamic.
> 
> Hope this helps and does not sound too sales ;-)
> 
> -eric
> 

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************