On 09/19/2014 01:18 AM, Mark Townsley wrote:
Another lesson learned was exposing two passwords to the user vs. one. In a retail/wholesale LAC/LNS deployment model, it made perfect sense for the L2TP tunnel to have a password separate from the PPP user password (and L2TP fully supplanted L2F in these types of deployments). But when the L2TP tunnel and the PPP session are are at the same point it just looks redundant to the end user to have separate security config for each (let alone IPsec on top). Knowing the difference between a tail and a dog is important[1], and it was a very bad idea to let the protocol design influence the UI. In retrospect, allowing one protocol to bootstrap the security in another would have been a good thing for us to have considered more.
If we are going to be using a password as the root means of providing authorization to participate in routing or not, we can't use the same password that is used for access control to my network (wpa2), or to another network in your example (ppp, l2tp) or any derived value of it. I don't want my local users or much worse -- my ISP's -- to be able derive a key they already possess for one reason, and be able have at my infrastructure's control plane.
Best of all would not to use passwords altogether, cf the zillions of hacks on trivially guessable passwords ("MyDoGsPoT").
Mike
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
