upper protocol ——L2TP

Layer 2 Tunneling Protocol

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.^[1]

Although L2TP acts like a Data Link Layer protocol in the OSI model, L2TP is in fact a Session Layer protocol,^[2] and uses the registered UDP port 1701. (see List of TCP and UDP port numbers).

Contents

• 1 History and future
• 2 Description
• 3 Tunneling models
• 4 L2TP packet structure
• 5 L2TP packet exchange
• 6 L2TP/IPsec
• 7 Windows implementation
• 8 L2TP in ADSL networks
• 9 L2TP in cable networks
• 10 See also
• 11 References
• 12 External links
  • 12.1 Implementations
  • 12.2 Internet standards and extensions
  • 12.3 Other

 

History and future

Published in 1999 as proposed standard RFC 2661, L2TP has its origins primarily in two older tunneling protocols for PPP: Cisco's Layer 2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). A new version of this protocol, L2TPv3, was published as proposed standard RFC 3931in 2005. L2TPv3 provides additional security features, improvedencapsulation, and the ability to carry data links other than simplyPPP over an IP network (e.g., Frame Relay, Ethernet, ATM, etc).

Description

The entire L2TP packet, including payload and L2TP header, is sent within a UDP datagram. It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsecis often used to secure L2TP packets by providing confidentiality,authentication and integrity. The combination of these two protocols isgenerally known as L2TP/IPsec (discussed below).

The two endpoints of an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the LNS (L2TP Network Server).The LAC is the initiator of the tunnel while the LNS is the server,which waits for new tunnels. Once a tunnel is established, the networktraffic between the peers is bidirectional. To be useful fornetworking, higher-level protocols are then run through the L2TPtunnel. To facilitate this, an L2TP session (or call)is established within the tunnel for each higher-level protocol such asPPP. Either the LAC or LNS may initiate sessions. The traffic for eachsession is isolated by L2TP, so it is possible to set up multiplevirtual networks across a single tunnel. MTU should be considered when implementing L2TP.

The packets exchanged within an L2TP tunnel are categorised as either control packets or data packets.L2TP provides reliability features for the control packets, but noreliability for data packets. Reliability, if desired, must be providedby the nested protocols running within each session of the L2TP tunnel.

Tunneling models

An L2TP tunnel can extend across an entire PPP session or onlyacross one segment of a two-segment session. This can be represented byfour different tunneling models, namely [1] [2] [3]

1. voluntary tunnel
2. compulsory tunnel — incoming call
3. compulsory tunnel — remote dial
4. L2TP multi-hop connection

In the voluntary tunnel model, a tunnel is created by the user,typically by the use of an L2TP enabled client which is called the LACclient. The user will send L2TP packets to the Internet ServiceProvider (ISP) which will forward them on to the LNS. The ISP does notneed to support L2TP, it only forwards the L2TP packets between LAC andLNS. The LAC client acts as an L2TP tunnel initiator which effectivelyresides on the same system as the remote client. The tunnel extendsacross the entire PPP session from the L2TP client to the LNS.

In the compulsory tunnel model-incoming call, a tunnel is createdbetween ISP LAC and the LNS home gateway. The company may provide theremote user with a Virtual Private Network (VPN) login account fromwhich he can access the corporate server. As a result the user willsend PPP packets to the ISP (LAC) which will encapsulate them in L2TPand tunnel them to the LNS. In the compulsory tunneling cases, the ISPmust be L2TP capable. In this model the tunnel only extends across thesegment of the PPP session between the ISP and the LNS.

In the compulsory tunnel model-remote dial the home gateway (LNS)initiates a tunnel to an ISP (LAC) (outgoing call) and instructs theISP to place a local call to the PPP enabled client which is the remoteuser. This model is intended for cases where the remote PPP AnswerClient has a permanently established phone number with an ISP. Thismodel is expected to be used when a company with established presenceon the Internet needs to establish a connection to a remote office thatrequires a dial-up link. In this model the tunnel only extends acrossthe segment of the PPP session between the LNS and the ISP.

An L2TP Multi-hop connection is a way of redirecting L2TP traffic onbehalf of client LACs and LNSs. A Multi-hop connection is establishedusing an L2TP Multi-hop gateway. A tunnel is established from a clientLAC to the L2TP Multi-hop gateway and then another tunnel isestablished between the L2TP Multi-hop gateway and a target LNS. L2TPtraffic between client LAC and LNS is redirected to each other throughthe gateway.

L2TP packet structure

An L2TP packet consists of :

0 - 15 bit16 - 31 bitFlags and Version InfoLength (opt)Tunnel IDSession IDNs (opt)Nr (Opt)Offset Size (opt)Offset Pad (Opt)......

Payload data

Field meanings:

Flags and version

control flags indicating Data/Control packet and presence of length, sequence, offset fields.

Length (optional)

Total length of the message in bytes, present only when length flag is set.

Tunnel ID

Indicates the identifier for the control connection.

Session ID

Indicates the identifier for a session within a tunnel.

Ns (optional)

sequence number for this data or control message, beginning at zeroand incrementing by one (modulo 2**16) for each message sent. Presentonly when sequence flag set.

Nr (optional)

sequence number for expected message to be received. Nr is set tothe Ns of the last in-order message received plus one (modulo 2**16).In data messages, Nr is reserved and, if present (as indicated by the Sbit), MUST be ignored upon receipt..

Offset Size (optional)

Specifies where payload data is located past the L2TP header Actualdata within the offset padding is undefined. If the offset field ispresent, the L2TP header ends after the last byte of the offsetpadding. This field exists if the offset flag is set.

Offset Pad (optional)

Variable length

Payload data

Variable length (Max payload size = Max size of UDP packet - size of L2TP header)

L2TP packet exchange

At the time of setup of L2TP connection, many control packets areexchanged between server and client to establish tunnel and session foreach direction. One peer requests other peer to assign a specifictunnel and session id through these control packets. Then using thistunnel and session id data packets are exchanged with the compressedPPP frames as payload.

The list of L2TP Control messages exchanged between LAC and LNS, forhandshaking before establishing a tunnel and session in voluntarytunneling method are

L2TP/IPsec

Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193. The process of setting up an L2TP/IPsec VPN is as follows:

1. Negotiation of IPsec Security Association (SA), typically through Internet Key Exchange(IKE). This is carried out over UDP port 500, and commonly uses eithera shared password (so-called "pre-shared keys"), public keys, or X.509 certificates on both ends, although other keying methods exist.
2. Establishment of Encapsulating Security Payload(ESP) communication in transport mode. The IP Protocol number for ESPis 50 (compare TCP's 6 and UDP's 17). At this point, a secure channelhas been established, but no tunneling is taking place.
3. Negotiation and establishment of L2TP tunnel between the SAendpoints. The actual negotiation of parameters takes place over theSA's secure channel, within the IPsec encryption. L2TP uses UDP port 1701.

When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsecpacket, no information about the internal private network can begarnered from the encrypted packet. Also, it is not necessary to openUDP port 1701 on firewalls between the endpoints, since the innerpackets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints.

A potential point of confusion in L2TP/IPsec is the use of the terms "tunnel" and "secure channel." Tunnel refers to a channel which allows untouched packets of one network to be transported over another network. In the case of L2TP/IPsec, it allows L2TP/PPP packets to be transported over IP. A secure channel refers to a connection within which the confidentiality of all data is guaranteed. In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides a tunnel.

Windows implementation

Windows versions before Vista were very difficult to configure forL2TP without IPsec. Microsoft has simplified setup of an IPsec VPNconnection from more than 100 mouse clicks in Windows 2000/XPto 15 in Vista. There is also a bit more help info in Vista compared toXP, such as "What is a VPN?", though this is generally very basic info.The help info does say that IPsec without L2TP is not to be used forRoad Warrior-style VPNs. They advise to use L2TP/IPsec or PPTP for that.

Windows Vistaprovides two new configuration utilities that attempt to make usingL2TP without IPsec easier, both described in sections that follow below:

• an MMC snap-in called "Windows Firewall with Advanced Security" (WFwAS), located in Control Panel → Administrative Tools
• the "netsh advfirewall" command-line tool

Both these configuration utilities are not without theirdifficulties, and unfortuntely, there is very little documentationabout both "netsh advfirewall" and the IPsec client in WFwAS. One ofthe aforementioned difficulties is that it is not compatible with NAT.Another problem is that servers must be specified only by IP address inthe new Vista configuration utilities; the hostname of the servercannot be used, so if the IP address of the IPsec server changes, allclients will have to be informed of this new IP address (which alsorules out servers that addressed by utilities such as DynDNS).

L2TP in ADSL networks

L2TP is often used as a tunneling mechanism to resell ADSL endpoint connectivity (e.g. Telkomin South Africa). An L2TP tunnel would sit between the user and the ISPthe connection would be resold to, so the reselling ISP would notappear as doing the transport.

L2TP in cable networks

L2TP is used by the cable Internet provider (for example HOT in Israel) as a tunnelling mechanism to sell endpoint connectivity. The L2TP tunnel sits between the user and the ISP. Again, the reselling cable provider doesn't appear as doing the transport.

See also

• IPsec
• Layer 2 Forwarding Protocol
• Layer 2 Tunneling Protocol
• Point-to-Point Tunneling Protocol
• Point-to-Point Protocol

References

1. ^ IETF (1999), RFC 2661, Layer Two Tunneling Protocol "L2TP"
2. ^ Cisco Systems, Inc., Cisco Active Network Abstraction Technology Support and Information Model Reference Manual, Version 3.6, Chapter 9, Layer 2 Tunnel Protocol “L2TP”

External links

Implementations

• Cisco: Cisco L2TP documentation, also read Technology brief from Cisco
• Open source and Linux: xl2tpd, Linux RP-L2TP, OpenL2TP, l2tpns, l2tpd (inactive), Linux L2TP/IPsec server, FreeBSD multi-link PPP daemon
• Microsoft: built-in client included with Windows 2000 and higher; Microsoft L2TP/IPsec VPN Client for Windows 98/Windows Me/Windows NT 4.0
• Apple: built-in client included with Mac OS X 10.3 and higher.

Internet standards and extensions

• RFC 2341 Cisco Layer Two Forwarding (Protocol) "L2F" (a predecessor to L2TP)
• RFC 2637 Point-to-Point Tunneling Protocol (PPTP) (a predecessor to L2TP)
• RFC 2661 Layer Two Tunneling Protocol "L2TP"
• RFC 2809 Implementation of L2TP Compulsory Tunneling via RADIUS
• RFC 2888 Secure Remote Access with L2TP
• RFC 3070 Layer Two Tunneling Protocol (L2TP) over Frame Relay
• RFC 3145 L2TP Disconnect Cause Information
• RFC 3193 Securing L2TP using IPsec
• RFC 3301 Layer Two Tunnelling Protocol (L2TP): ATM access network
• RFC 3308 Layer Two Tunneling Protocol (L2TP) Differentiated Services
• RFC 3355 Layer Two Tunnelling Protocol (L2TP) Over ATM Adaptation Layer 5 (AAL5)
• RFC 3371 Layer Two Tunneling Protocol "L2TP" Management Information Base
• RFC 3437 Layer Two Tunneling Protocol Extensions for PPP Link Control Protocol Negotiation
• RFC 3438 Layer Two Tunneling Protocol (L2TP) Internet Assigned Numbers: Internet Assigned Numbers Authority (IANA) Considerations Update
• RFC 3573 Signaling of Modem-On-Hold status in Layer 2 Tunneling Protocol (L2TP)
• RFC 3817 Layer 2 Tunneling Protocol (L2TP) Active Discovery Relay for PPP over Ethernet (PPPoE)
• RFC 3931 Layer Two Tunneling Protocol - Version 3 (L2TPv3)
• RFC 4045 Extensions to Support Efficient Carrying of Multicast Traffic in Layer-2 Tunneling Protocol (L2TP)
• RFC 4951 Fail Over Extensions for Layer 2 Tunneling Protocol (L2TP) "failover"

Other

• IANA assigned numbers for L2TP
• L2TP Extensions Working Group (l2tpext) - (where future standardization work is being coordinated)
• Using Linux as an L2TP/IPsec VPN client
• Configuring L2TP VPN in Windows