* Ed wrote on Fri, Jun 29, 2001 at 21:21 -0700:
PPTP protocol, as a minimum. The system should allow the user to switch between IPSec VPN and non-VPN without need of rebooting the laptop.
This sentence is interesting... Why booting?! Even Win2K does not need to reboot for mouse-movement changes to take effect...
The system will only pass IP based protocols between the laptop passenger interface and the file server. Passenger laptops will be assigned default gateway address via DHCP. The default gateway should reside in the server.
Well, DHCP is pretty clear. But a gateway in a server? I don't understand it.
The system will by default, route user outbound packets to a configurable gateway."
Who configures what gateway?
Is it feasible to support IPSec from a passenger's laptop when implementations of IPSec vary and either ESP or AH modes might be used?
First, when offering IP routeing (even when the connection verhicle-satelite-some-center is IPSec or whatever transparent encrypted) a user can do IPSec on it's own to it's own server (IPSec is just an IP protocol). Second, it's not necessary that the passengers have a tunnel from laptop to some implementation of the transportation thing, I don't see a reason for that, but who knows :)
If feasible what performance hit would be involved? I have heard estimates of 40% when encryption is used (mileage may vary I suppose based on CPU speed and resources).
No, you cannot say it so. If you have a E1 (2Mbit) uplink you can fill taht with IPSec, too. Of course not with an i486 :) If you have more bandwidth, you need fast machines, maybe hardware-accelerated and so. Of course the delay timeings become larger. If not the link but the computing power is the limit, of course bandwidth get lost, pretty clear.
I assumed that a "default gateway at the server" implied that the IPSec pipe started or ended there.
Well, you should make such things clear. Was that spec a final or development version?
Since the transportation manufacturer called out other security requirements to the passenger seat, I assumed that IPSec to the seat was not required.
It's always hard to make assumptions after reading a spec. You should try to consult that company to know what they assume from it's own spec.
Examples of requested security: "Multiple passengers will not be connected to shared physical media. Laptop users will not be permitted to view packets from another user's network session.
Is a switch enough?
Each passenger's laptop's user interface will be isolated to its own link layer subnetwork. The passenger laptop will not be able to access unauthorized IP address.
Probably not, or at least some clever switch...
The system will be immune to DoS attacks.
Really? Nice. :)
The server will ensure that passenger laptop's can only pass packets with that user's assigned IP address."
By verifing hardware address? Or require them each client on an own wire to an own net adapter/card?
1) "Does the transportation manufacturer really want IPSec extended directly to the passenger's laptop?"
Ask him :) Who whould know that... Well, it a spec is not telling that, the spec it not good. Anyway, you have to talk with them, since a spec is theory and business is practice :)
2) "Would it even be feasible to automate re configuration of IPSec software running on a passenger laptop to avoid compatibility issues?"
Should the passenger IPSec interact with the vehicle system? For what reason? How do transport company and customer should exchange keys and so on? I don't get the idea and advantages of that... I would call them by phone :)
3) "What would the performance cost be of running ESP or AH IPSec on a laptop that might also be viewing an MPEG2 movie, web browsing or playing a game?"
On which bandwidth? On ISDN (64Kbit), I wouldn't see any problem, on E1 (2Mbit) it would get viewable slower (on ordinary laptops) and E3 (34M) the laptop would use any power for encryption/decryption (I think a intel PC isn't able to 3DES 34M datastream for IPSec). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.