Transcript L2TP

Layer 2 Tunneling Protocol
(L2TP)
•
•
An example of network layer VPN: use IP packets to
encapsulate Layer 2 frames
Previous RFC (v2)
RFC2661 Layer Two Tunneling Protocol L2TP W.
Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn,
B. Palter. August 1999 (PROPOSED STANDARD)
A standard method for tunneling Point-to-Point Protocol (PPP)
[RFC1661] sessions
-
T. A. Yang
Note: L2TP has since been adopted for tunneling a number of
other L2 protocols (e.g., Ethernet, Frame Relay, etc).  L2TPv3
[RFC3931]
Network Security
1
Point-to-Point Protocol (PPP [RFC1661])
-
-
-
-
PPP defines an encapsulation mechanism for transporting
multiprotocol packets across layer 2 (L2) point-to-point links.
PPP relies on the Link Control Protocol (LCP) for establishing,
configuring, and testing the data-link connection.
It has a family of Network Control Protocols (NCPs) for
establishing and configuring different network-layer protocols.
Typically, a user obtains a L2 connection to a Network Access
Server (NAS) using one of a number of techniques (e.g., dialup
POTS, ISDN, ADSL, etc.) and then runs PPP over that connection.
Example: A customer uses a dialup modem or a DSL line to
connect to the ISP or the company’s modem pool.
Dial client (PPP peer)  PPP  NAS (e.g., ISP)
In such a configuration, the L2 termination point and PPP session
endpoint reside on the same physical device (i.e., the NAS).
T. A. Yang
Network Security
2
Layer 2 Tunneling Protocol
•
Types of L2TP Tunnels
1.
Compulsory L2TP Tunneling
The client is completely unaware of the presence of an L2TP connection.
The L2TP Access Concentrator (LAC) is aware of L2TP.
Figure 12-3: (client)  PPP + Data  (LAC)  L2TP + Data  (LNS)
T. A. Yang
Network Security
3
Layer 2 Tunneling Protocol
•
Types of L2TP Tunnels (cont.)
2.
Voluntary L2TP Tunneling
The client is aware of the presence of an L2TP connection.
The LAC is unaware of L2TP.
Figure 12-4: (client)  PPP + L2TP + Data  (LAC)  L2TP + Data 
(LNS)
T. A. Yang
Network Security
4
Layer 2 Tunneling Protocol (cont.)
•
L2TP
-
L2TP extends the PPP model by allowing the L2 and PPP
endpoints to reside on different devices interconnected by a
packet-switched network (PSN).
-
With L2TP, a user has an L2 connection to an L2TP access
concentrator (LAC, e.g., modem bank, ADSL DSLAM, etc.), and
the concentrator then tunnels individual PPP frames to the L2TP
Network Server (LNS).
Dial client (PPP peer)  PPP  LAC  L2TP tunnel  LNS
-
This allows the actual processing of PPP packets to be separated
from the termination of the L2 circuit.
T. A. Yang
Network Security
5
Layer 2 Tunneling Protocol (cont.)
•
T. A. Yang
A typical L2TP scenario (from RFC2661)
Network Security
6
Layer 2 Tunneling Protocol (cont.)
RFC3931 Layer Two Tunneling Protocol - Version 3
(L2TPv3) J. Lau, Ed., M. Townsley, Ed., I. Goyret,
Ed. March 2005 (PROPOSED STANDARD)
L2TPv3 defines the base control protocol and encapsulation
for tunneling multiple Layer 2 connections between two
IP nodes.
L2TPv3 consists of
(1) the control protocol for dynamic creation, maintenance,
and teardown of L2TP sessions, and
(2) the L2TP data encapsulation to multiplex and
demultiplex L2 data streams between two L2TP nodes
across an IP network.
T. A. Yang
Network Security
7
Layer 2 Tunneling Protocol (cont.)
•
L2TP (according to TheFreeDictionary, http://computingdictionary.thefreedictionary.com/L2TP)
•
A protocol from the IETF that allows a PPP session to travel over
multiple links and networks. (Note: a limitation of L2TPv2)
•
L2TP is used to allow remote users access to the corporate
network.
•
PPP is used to encapsulate IP packets from the user's PC to the
ISP, and L2TP extends that session across the Internet.
•
L2TP was derived from Microsoft's Point-to-Point Tunneling
Protocol (PPTP) and Cisco's Layer 2 Forwarding (L2F) technology.
T. A. Yang
Network Security
8
Layer 2 Tunneling Protocol (cont.)
•
From Access Concentrator to Network Server
•
•
•
The "L2TP Access Concentrator" (LAC) encapsulates PPP frames with
L2TP headers and sends them over the Internet as UDP packets (or over
an ATM, frame relay or X.25 network).
At the other end, the "L2TP Network Server" (LNS) terminates the PPP
session and hands the IP packets to the LAN. L2TP software can also be
run in the user's PC.
Carriers also use L2TP to offer remote points of presence (POPs) to
smaller ISPs. Users in remote locations dial into the carrier's local modem
pool, and the carrier's LAC forwards L2TP traffic to the ISP's LNS.
user  original IP packet (p)  PPP+p  LAC  L2TP+PPP+p  LNS
•
L2TP and IPsec
•
T. A. Yang
L2TP does not include encryption (as does PPTP), but is often used with
IPsec in order to provide virtual private network (VPN) connections from
remote users to the corporate LAN.
Network Security
9
L2TP Operations
•
Assumptions: Compulsory tunneling
•
The Procedure:
1.
2.
3.
4.
5.
•
The Client initiates a PPP connection to the LAC.
The LAC does LCP negotiation with the client, and challenges the client for
authentication credentials.
The client supplies the credentials (such as user name, domain name, password).
The LAC uses the domain name to ascertain which LNS it needs to contact (in the
case of multiple domains).
The LAC begins establishing an L2TP tunnel with the LNS.
Two Stages of L2TP Tunnel Setup:
1.
2.
–
T. A. Yang
Set up a control session between the LAC and the LNS.
Set up the actual L2TP tunnel for passing the data (aka. ‘creating the session’)
Notes:
•
Between a pair of LAC and LNS, there may exist multiple tunnels.
•
Across a single L2TP tunnel, there may exist multiple sessions.
Network Security
10
L2TP Tunnel Setup (from RFC2661)
T. A. Yang
Network Security
11
L2TP Operations
•
Control Connection Establishment
-
Securing the peer’s identity, identifying the peer’s L2TP
version, framing, etc.
1.
LAC  SCCRQ (start-control-connection-request)  LNS
2.
LAC  SCCRP (start-control-connection-reply  LNS
3.
LAC  SCCN (start-control-connection-connected  LNS
-------------------------------------------------------------------------------------LAC  ZLB ACK  LNS
The ZLB ACK is sent if there are no further messages waiting in queue for that
peer.
T. A. Yang
Network Security
12
L2TP Operations
•
Session Establishment
A session may be created after successful control connection is
established.
Each session corresponds to a single PPP stream between the
LAC and the LNS.
Session establishment is directional:
-
-
Incoming call: The LAC asks the LNS to accept a session;
Outgoing call: The LNS asks the LAC to accept a session
Incoming Call Establishment:
1.
LAC  ICRQ (Incoming-Call-Request)  LNS
2.
LAC  ICRP (Incoming-Call-Reply  LNS
3.
LAC  ICCN (Incoming-Call-Connected  LNS
-------------------------------------------------------------------------------------LAC  ZLB ACK  LNS
The ZLB ACK is sent if there are no further messages waiting in queue for that
peer.
T. A. Yang
Network Security
13
T. A. Yang
Network Security
14
L2TP Message Header
T. A. Yang
Network Security
15
L2TP
Control
Messages
(from RFC2661)
T. A. Yang
Network Security
16
L2TP Authentication
(from RFC2661)
•
•
Authentication, Authorization and Accounting may be provided by the Home
LAN's Management Domain, which is behind the LNS.
In that case, the LAC performs proxy authentication, by passing
authentication information back and forth between the user and the LNS.
T. A. Yang
Network Security
17
L2TP Operations
•
Case Studies:
-
T. A. Yang
Setting up compulsory L2TP Tunneling
Network Security
18
L2TP Operations
•
Case Studies (cont.)
-
Protecting L2TP Traffic using IPsec in a compulsory tunneling
setup
NOTE: L2TP encapsulation occurs before IPSec processing.
T. A. Yang
Network Security
19
L2TPv3 Topology (from RFC3931)
• L2TP operates between two L2TP Control
Connection Endpoints (LCCEs), tunneling traffic
across a packet network.
• There are three predominant tunneling models
in which L2TP operates:
LAC-LNS (or vice versa),
LAC-LAC, and
LNS-LNS.
T. A. Yang
Network Security
20
L2TPv3 Topology (from RFC3931)
T. A. Yang
Network Security
21
L2TPv3 Topology (from RFC3931)
T. A. Yang
Network Security
22
L2TPv3 Topology (from RFC3931)
T. A. Yang
Network Security
23