Using L2TP [RE: Need for TSP? RE: Tunneling scenarios and mechanisms evaluation]

[Pekka Savola <pekkas@netcore.fi>]

On Fri, 12 Mar 2004, Soliman Hesham wrote:
>  > Hesham,
>  > As you are saying, if its already there (L2TP
>  > infrastructure), then this 
>  > route can certainly make sense. But if an ISP doesn't have an L2TP 
>  > infrastructure, deploying a tunnel broker solution is simpler.
> 
> => Respectfully disagree. Many hosts already have L2TP, 
> you're asking them to implement another protocol. 
> If the operator doesn't have then he can have it, it's 
> already available in products. An existing protocol that 
> is already implemented is better than standardising 
> a new protocol because it might be simpler to implement.

I looked at different L2TP approaches a bit.

An important thing to note is that L2TP only offers control plane 
security, no data plane security.  For the latter, you need IPsec as 
well.

L2TP appears very heavyweight (even the spec is over 100 pages) for
this specific purpose, especially for some scenarios -- e.g., 3GPP
network for UE tunneling.

So, my personal gut feeling at this point is that L2TP is probably
applicable in the environments which already have the machinery in
place, but is a pain to set-up, and has significant complexity and
overhead which are probably drawbacks in a few scenarios at least.

We could actually achieve more than L2TP with simply IPsec with NAT
traversal (as outlined in a separate thread previously) -- but there
are some issues here to be investigated -- the biggest problem AFAICS
is the implementation status.  But I'm not certain this is a feasible
approach in all the scenarios either...

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings