--On Monday, 17 January, 2000 08:47 -0800 Merton Campbell Crockett
<[EMAIL PROTECTED]> wrote:
> At the Microsoft Federal Security Conference last year, Microsoft had a
> presentation on L2TP and IPsec. L2TP does use an IPsec encryption scheme
> but does not provide a virtual connection in the same sense as SSH.
One of the goals with IPsec was to support non-connection oriented
services (such as UDP). If one can use transport mode, and the
implementation(s) support a reasonable way to configure the desired
policy, then one can get a "virtual connection." If you mean connection
forwarding as SSH does, then one could use tunnel mode.
> SSH allows you to establish a secure communication path to the target
> system. It only affects packets destined for the target system, i.e. you
> retain connectivity to your local network and access to your local
> network resources.
Isn't the secure communications path only for TCP streams for which one
has set up forwarding?
And I think one can get user authentication with IPsec, albeit with
constraints: use of IKE, transport mode, and certificates. There has
been discussion of how to use other authentication mechanisms
within IKE, such as use of openPGP keys. In particular, there is
a draft on use of GSS-API to authenticate the Diffie-Hellman
exchange, which would allow use of whatever authentication
scheme is available with GSS-API (such as Kerberos in many
cases).
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
