L2TP security

[Brad Kemp]

At 11:26 AM 2/25/00 -0800, Nancy wrote:
>>>>
>I need information on L2TP security.  As I understand, it combines the
>encryption power of PPTP with the packet authentication power of L2F.
Vendor >and IETF documents aren't answering all my questions.

>With IPSec, any number of security levels can be negotiated by selecting
>encryption and authentication algorithms, key lifetimes, etc.  Does the
same >capability exist within L2TP?
L2TP uses IPsec for encryption and integrity. It can use the IPsec
authentication mechanism.

>L2TP claims to offer a choice of encryption and authentication algorithms.
 I >can't determine if the choice exists when establishing a tunnel or
configuring >a piece of equipment.  The latter seems rather restrictive
since it locks the >user into a single security scheme, no matter what the
sensitivity of the
>data.
This will depend on the vendor. IPsec allows the encryption and authentication
to be negotiated. L2TP can use PPP authentication above the IPsec
authentication for support smartcards, RADIUS or other authentication
mechanisms.

>Are L2TP products from different vendors compatible?
They should be. There are bound to be a few interoperability problems here
and there, but most of the participants and recent bakeoffs have been
successful.

> In the case of PPTP, the Microsoft implementation has taken a lot of
>criticism.  Other vendors implementing PPTP solutions are quick to
distance >themselves.  Doesn't this mean that products would be incompatible?

PPTP has some design problems as far as security goes. Microsoft made them
worse by producing a less the stellar implementation. Many of the problems
are fixed in the later release from Microsoft, however not all platforms
support the new version.
There are inherit problems with some of the things Microsoft did in the old
version (statefull compression and encryption on a lossy link, tiny window
sizes to overcome the statefull problem, using the same key in both
directions, allowing key rollback).
Most vendors will interoperate with Microsoft PPTP. In our case, if we
are at both ends, we drop into a mode that cures some of the PPTP ills, if not
we speak Microsoft PPTP.

>Is an L2TP tunnel different from an IPSec tunnel?  Some of the wording of
the >documentation I have come across so far leads me to believe that L2TP
>establishes a virtual circuit, while IPSec uses standard packet switching.
 If >this is the case, does L2TP offer any QoS or security characteristics
derived >from virtual circuit switching?

L2TP allows multiprotocol tunneling, alternative authentication, and any
other feature PPP has.  QOS and/or other virtual circuit switching features
are vendor specific.

>Thanks for your help!

>Nancy MacKay

Brad


--- -- --
Brad Kemp
Indus River Networks, Inc.                   BradKemp at indusriver.com
31 Nagog Park						 978-266-8122
Acton, MA 01720                              fax 978-266-8111

VPN is sponsored by SecurityFocus.COM