Quick strange question

JJArms

Hello All,

Strange question for you:

I am currently studying for the SY0-201 and as of right now I am reading up on tunneling protocols.

The currently used tunneling protocols are L2TP, PPP, SSH and IPSec (feel free to correct me by the way as I want to know this, not just pass a test).

Now here comes my question -- whenever there is mention of L2TP it is always tied in with IPSec; now I know that L2TP is just a pure tunneling protocol and IPSec can do the authentication.

However, IPSec can do the tunneling and the authentication, so why would a company used L2TP?

Regards,

JJArms~

nevolved

L2TP = Protocol independent, can be used on ip, ipx, etc etc
IPSec = Only IP packets


L2TP/IPSec would be used for VPNs, dial-in or persistent connections, so ALL your data has AH/ESP used on it.

IPSec could be tied with a single application, like RDP, then RDP would have AH/ESP applied to it, but ONLY RDP, not all the data you are transferring (like in a VPN).

I've never tried to define these like this, so if I'm at all wrong please correct me:).

dynamik

Also, IPsec doesn't technically tunnel. It supports tunnel mode and transport mode, and that refers to how the security associations work. You typically use tunnels to you create site-to-site links that do not support L2TP/IPsec.

http://technet.microsoft.com/en-us/library/cc786385.aspx

RFC 2401 wrote:

A Security Association (SA) is a simplex "connection" that affords
security services to the traffic carried by it. Security services
are afforded to an SA by the use of AH, or ESP, but not both. If
both AH and ESP protection is applied to a traffic stream, then two
(or more) SAs are created to afford protection to the traffic stream.
To secure typical, bi-directional communication between two hosts, or
between two security gateways, two Security Associations (one in each
direction) are required.

A security association is uniquely identified by a triple consisting
of a Security Parameter Index (SPI), an IP Destination Address, and a
security protocol (AH or ESP) identifier. In principle, the
Destination Address may be a unicast address, an IP broadcast
address, or a multicast group address. However, IPsec SA management
mechanisms currently are defined only for unicast SAs. Hence, in the

discussions that follow, SAs will be described in the context of
point-to-point communication, even though the concept is applicable
in the point-to-multipoint case as well.

As noted above, two types of SAs are defined: transport mode and
tunnel mode. A transport mode SA is a security association between
two hosts. In IPv4, a transport mode security protocol header
appears immediately after the IP header and any options, and before
any higher layer protocols (e.g., TCP or UDP). In IPv6, the security
protocol header appears after the base IP header and extensions, but
may appear before or after destination options, and before higher
layer protocols. In the case of ESP, a transport mode SA provides
security services only for these higher layer protocols, not for the
IP header or any extension headers preceding the ESP header. In the
case of AH, the protection is also extended to selected portions of
the IP header, selected portions of extension headers, and selected
options (contained in the IPv4 header, IPv6 Hop-by-Hop extension
header, or IPv6 Destination extension headers). For more details on
the coverage afforded by AH, see the AH specification [KA98a].

A tunnel mode SA is essentially an SA applied to an IP tunnel.
Whenever either end of a security association is a security gateway,
the SA MUST be tunnel mode. Thus an SA between two security gateways
is always a tunnel mode SA, as is an SA between a host and a security
gateway. Note that for the case where traffic is destined for a
security gateway, e.g., SNMP commands, the security gateway is acting
as a host and transport mode is allowed. But in that case, the
security gateway is not acting as a gateway, i.e., not transiting
traffic. Two hosts MAY establish a tunnel mode SA between
themselves. The requirement for any (transit traffic) SA involving a
security gateway to be a tunnel SA arises due to the need to avoid
potential problems with regard to fragmentation and reassembly of
IPsec packets, and in circumstances where multiple paths (e.g., via
different security gateways) exist to the same destination behind the
security gateways.

For a tunnel mode SA, there is an "outer" IP header that specifies
the IPsec processing destination, plus an "inner" IP header that
specifies the (apparently) ultimate destination for the packet. The
security protocol header appears after the outer IP header, and
before the inner IP header. If AH is employed in tunnel mode,
portions of the outer IP header are afforded protection (as above),
as well as all of the tunneled IP packet (i.e., all of the inner IP
header is protected, as well as higher layer protocols). If ESP is
employed, the protection is afforded only to the tunneled packet, not
to the outer header.

In summary,
a) A host MUST support both transport and tunnel mode.
b) A security gateway is required to support only tunnel
mode. If it supports transport mode, that should be used
only when the security gateway is acting as a host, e.g.,
for network management.

http://www.ietf.org/rfc/rfc2401.txt

JJArms

Thanks for the feedback so far!

Just goes to show there is a world of difference between reading about tunneling protocols and real life applications of the tunneling protocols.

It also shows me how much of a starting point this Comptia exam truely is.

Regards,

JJArms~