[j-nsp] Juniper and L2TPv3?
Fouant, Stefan A
stefan.fouant at mci.com
Sun Jan 16 10:42:18 EST 2005
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of David Gethings
>
> On Fri, 2005-01-14 at 09:23 +0000, David Gethings wrote:
> > Not sure that the M series does but I am sure the E series does.
> Forget that. I'm totally wrong. I believe it's not supported.
Juniper M Series does not support L2TPv3 at this time, and there is no
roadmap for it anytime in the near future. Believe me, we've been
bugging them to support this for quite some time.
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Shane Amante
>
> In the end, L2TPv3 is just another tool in the toolbox. With respect
> to securing GRE, RFC2890 proposes a 4-Byte key & sequence numbers for
> GRE packets, which arguably provides equivalent security to L2TPv3
> Session ID's & Cookies -- however, I can't tell if Juniper implements
> RFC2890.
RFC 2890 is still only 32 bits when compared to L2TPv3's 32 bit sequence
and 32 bit key for a total of 64 bits, definitely more secure than GRE
w/ 2890. As for support, I recently beta tested RFC 2890 support for
Juniper and it should be introduced in JUNOS 7.1.
> Finally, one could put MPLS [PWE3|2547] in GRE in IPsec (possibly back
> in MPLS, for fun :-). This probably already works on Junipers -- I
> haven't played with it, but they've got all the protocols there :-).
> Although this will give you excellent security (assuming IPsec
> encryption/authentication of payloads) and may be useful is some
> limited situations, it is certainly a complex design with a lot of
> overhead and, IMO, it would be difficult to deploy, and maintain, on a
> medium- to large-scale.
I've done this and it works... (2547 in GRE in IPSec, back into MPLS for
TE) and it is fun ;)
Stefan Fouant
Senior Network Engineer
UUNET / MCU
More information about the juniper-nsp
mailing list