Page 1 of 1

LEAP more secure than IPSec?!?

PostPosted: Thu Sep 25, 2003 12:05 pm
by WiFiLinux
Hi All,

Has anyone seen this article? I am not a VPN expert but I thought that IPSec could do dynamic key exchange after a tunnel was established. The author seems to think that LEAP is more secure than IPSec. Can someone please give me a reality check on this?


PostPosted: Thu Sep 25, 2003 9:58 pm
by Madhadder
Check the Cisco site for better info. There are also many
presentations,whitepapers,etc. about LEAP on the net, even
here if you search....

LEAP is only part of the overall picture if you use Cisco gear.
In addition, LEAP generates Dynamic WEP keys on a per user
basis, and changes them every 30sec or so. Add LEAP to the
other Cisco Wierdness and you have one very secure network..

PS: LEAP is only Avail. On Cisco Gear, anything else is a hack.

PostPosted: Mon Sep 29, 2003 10:28 am
by WiFiLinux
Thanks Madhadder,

I was really inquiring about IPSec’s ability to re-key after a tunnel has been established. I have done some research and can now verify that IPSec can re-key an existing tunnel (contrary to what the above website states). I should have posted this in the miscellaneous/off topic section. Sorry for any confusion

PostPosted: Mon Sep 29, 2003 10:32 am
by nashr
Madhadder, good summation.

WiFiLinux, I see your point. Do you have a link for your findings? Thanks.

I work with the author of that website. He doesn't follow this site at all, as you can see by his number of postings. I'll pass along that others have been reading his work.

PostPosted: Mon Sep 29, 2003 6:50 pm
by WiFiLinux
Hi Nashr,

I found the information in the book “IPSec The New Security Standard for the Internet, Intranets, and Virtual Private Networks”. What I am referring to is the ability for IKE to create and tear down security associations (SA) during an IPSec VPN session. I found this information on page 112 of the text which says:

“In addition to those mandatory attributes there are also optional attributes that may be negotiated as part of a protection suite. Foremost among these optional attributes is a lifetime. The lifetime attribute determines how long the IKE SA exists. The longer an IKE SA exists, the greater the risk of leakage of its key, so an implementation is encouraged to include lifetimes in the protection suites offered to peers.”

If the manufacture does not implement IKE lifetime settings in their device then the aforementioned web page would be correct in stating that LEAP encryption is more secure than IPSec, however I think that most of them do. I have worked with Nortel Networks Contivity product to a limited extent and have seen re-keying as an option based on time, or the amount of data transferred. Sorry I don’t have links to this data other than the RFC which is not a fun read.

Again I’m not an IPSec / VPN expert so if someone has information contradicting me please post it as I am very interested in learning more about this topic.

Thank you,

PostPosted: Mon Oct 27, 2003 2:08 pm
by WiFiLinux
Hi Nashr,

I ran across this on the web and recalled this thread.

The IPsec Tunnel
"Once the Diffie-Hellman tunnel has been brought up, the IPsec process can begin. For the most part, there is little that needs to be done. You will provide the basic framework for the tunnel and the routers negotiate the specifics. The reason why the keys are negotiated between the routers is because a secure network requires the keys to expire occasionally. Every so often, the routers will renegotiate the keys and the tunnel continues on."

This is a really good high level explanation of IPSec and encryption in general.

I Hope this was helpful.