0blivion1:(L2TP.txt):15/03/2000 << Back To 0blivion1


+------------------------------------------------------+ ▌ Oblivion Underground Magazine - Issue 1 - 15/03/2000 ▌ ▌ Layer 2 Tunneling Protocol by Slider ▌ ▌ E-Mail : Slider_100@hotmail.com ▌ +------------------------------------------------------+ Layer 2 Tunneling Protocol (L2TP) L2TP permits the tunneling of PPP. Any protocol supported by PPP can be tunneled. This protocol extends the span of a PPP connection. Instead of beginning at the remote host and ending at a local ISP's point of presence (PoP), the virtual PPP link now extends from the remote host all the way back to the corporate gateway. L2TP tunneling is currently supported over IP/UDP. The latest specification can be found in the following Internet draft; however, it is expected that L2TP will soon be approved as a standard. http://search.ietf.org/internet-drafts/draft-ietf-pppext-l2tp-11.txt L2TP is a consensus standard that came from the merging of two earlier tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F; described in RFC 2341). These earlier protocols did not provide as complete a solution as the L2TP protocol; one addresses tunnels created by ISPs and the other addresses tunnels created by remote hosts. L2TP supports both host-created and ISP-created tunnels. L2TP adds the ability to create a virtual private network where multiple protocols and privately addressed IP, IPX, and AT are allowed. In addition, L2TP will give remote users the ability to connect to a local ISP and tunnel through the internet to a home network, avoiding long distance charges. It will also provide a mechanism on which to solve the multiple box PPP multilink problem. (Calls connecting to different physical routers that are destined for the same MP bundle can be tunneled to the same endpoint where MP can be terminated for all links.) Terminology Before describing the protocol, a definition of some L2TP terminology is provided. L2TP Access Concentrator (LAC) A device attached to one or more public service telephone network (PSTN) or integrated services digital network (ISDN) lines capable of handling both the PPP operation and L2TP protocol. The LAC implements the media over which L2TP operates. L2TP passes the traffic to one or more L2TP servers (LNS). L2TP Network Server (LNS) An LNS operates on any platform that can be a PPP endstation. The LNS handles the server side of the L2TP protocol. Because L2TP relies only on the single media over which L2TP tunnels arrive, the LNS can have only a single LAN or WAN interface, yet is still able to terminate calls arriving from any PPP interfaces supported by an LAC, such as async, synchronous, ISDN, V.120, etc. Network Access Servers (NAS) A device providing temporary, on-demand network access to users. This access is point-to-point using PSTN or ISDN lines. Session (Call) L2TP creates a session when an end-to-end PPP connection is attempted between a dial-in user and the LNS, or when an outbound call is initiated. The datagrams for the session are sent over the tunnel between the LAC and the LNS. The LNS and LAC maintain the state information for each user attached to a LAC. Tunnel A tunnel is defined by an LNS-LAC pair. The tunnel carries PPP datagrams between the LAC and the LNS. A single tunnel can multiplex many sessions. A control connection operating over the same tunnel controls the establishment, release, and maintenance of all sessions and of the tunnel itself. Attribute Value Pair (AVP) A uniform method of encoding message types and bodies. This method maximizes the extensibility while permitting interpretability of L2TP. Protocol Overview Since the host and the gateway share the same PPP connection, they can take advantage of PPP's ability to transport protocols other than just IP. For example, L2TP tunnels can be used to support remote LAN access as well as remote IP access. The following occurs: 1. The remote user initiates a PPP connection. 2. The NAS accepts the call. 3. The NAS identifies the remote user using an authorization server. 4. If the authorization is OK, the NAS/LAC initiates an L2TP tunnel to the desired LNS at the entry to the enterprise. 5. The LNS authenticates the remote user through its authentication server and accepts the tunnel. 6. The LNS confirms acceptance of the call and the L2TP tunnel. 7. The NAS logs the acceptance. 8. The LNS exchanges PPP negotiation with the remote user. 9. End-to-end data is now tunneled between the remote user and the LNS. L2TP is actually another variation of an IP encapsulation protocol. An L2TP tunnel is created by encapsulating an L2TP frame inside a UDP packet, which in turn is encapsulated inside an IP packet whose source and destination addresses define the tunnel's endpoints. Since the outer encapsulating protocol is IP, clearly IPSec protocols can be applied to this composite IP packet, thus protecting the data that flows within the L2TP tunnel. AH, ESP, and ISAKMP/Oakley protocols can all be applied in a straightforward way. L2TP can operate over UDP/IP and support the following functions: * Tunneling of single user dial-in clients * Tunneling of small routers, for example a router with a single static route to set up based on an authenticated user's profile * Incoming calls to an LNS from an LAC * Multiple calls per tunnel * Proxy authentication for PAP and CHAP * Proxy LCP * LCP restart in the event that proxy LCP is not used at the LAC * Tunnel endpoint authentication * Hidden AVP for transmitting a proxy PAP password * Tunneling using a local rhelm (that is user@rhelm) lookup table * Tunneling using the PPP username lookup in the AAA subsystem L2TP Security Issues Although L2TP provides cost-effective access, multiprotocol transport, and remote LAN access, it does not provide cryptographically robust security features. For example: * Authentication is provided only for the identity of tunnel endpoints, but not for each individual packet that flows inside the tunnel. This can expose the tunnel to man-in-the-middle and spoofing attacks. * Without per-packet integrity, it is possible to mount denial-of-service attacks by generating bogus control messages that can terminate either the L2TP tunnel or the underlying PPP connection. * L2TP itself provides no facility to encrypt user data traffic. This can lead to embarrassing exposures when data confidentiality is an issue. * While the payload of the PPP packets can be encrypted, the PPP protocol suite does not provide mechanisms for automatic key generation or for automatic key refresh. This can lead to someone listening in on the wire to finally break that key and gain access to the data being transmitted. Realizing these shortcomings, the PPP Extensions Working Group of the IETF considered how to remedy these shortfalls. Some members proposed to develop new IPSec-like protocols for use with PPP and L2TP. But since this work would have substantially duplicated the more mature work of the IPSec Working Group, the IETF took the position instead to support the use of the existing IPSec protocols to protect the data that flows through an L2TP tunnel. In summary, layer 2 tunnel protocols are an excellent way of providing cost-effective remote access. And when used in conjunction with IPSec, they are an excellent technique for providing secure remote access. However, without complementary use of IPSec, an L2TP tunnel alone does not furnish adequate security. Slider.