Embed Size (px)
Citation preview
SoftwiresHub & Spoke with L2TP
Maria Alice Dos Santos, Cisco
Bill Storer, Cisco
Satisfying Softwires Requirements with L2TP
• There are 2 versions of L2TP: – L2TPv2 (RFC 2661)– L2TPv3 (RFC 3931)
• Both versions can satisfy the Softwires requirements with some changes– For L2TPv2 the changes are very small– For L2TPv3 the changes are larger but
provide extra function
L2TP and NAT
• L2TP supports UDP encapsulation– For L2TPv2, UDP encapsulation is
mandatory– For L2TPv3 UDP encapsulation is
optional
• UDP encapsulation allows simple traversal of NAT
L2TP and Security
• L2TP supports tunnel authentication– Can authenticate the host initiating the tunnel
• L2TP supports PPP encapsulation– Can authenticate the PPP user within the tunnel
• L2TPv3 offers data channel security against malicious data insertion by requiring transmission and validation of a variable length cookie by the peers
L2TP and Management
• L2TP provides a tunnel keep alive mechanism
• L2TPv2 has accounting and MIB support– RADIUS Accounting extension for tunnel (RFC
2867)– L2TPv2 MIB RFC 3371
• L2TPv3 has VCCV support– Provides diagnostic and fault detection
capabilities at the session level– draft-ietf-pwe3-vccv-07
L2TP and Multicast
• PIM or IGMP messages pass through the L2TP tunnel transparently
• At the Hub router, each spoke appears as a PPP connection
• Multicast environment here is identical to that of an edge router terminating large numbers of PPP connections
L2TP and IPsec
• RFC 3193 - Securing L2TP using IPsec
• RFC 3948 - UDP Encapsulation of IPsec ESP Packets
• ESP must be supported
• Transport mode must be supported
A typical L2TP/IPsec frame is as follows:
IP | ESP header | UDP | L2TP | PPP | ESP trailer | Auth trailer
L2TP and Scalability
• L2TPv2 is widely used to provide large scale IPv4 services today.– Case in point being NTT
• Routers currently support high volume L2TPv2– Tens of thousands of concurrent L2TPv2 sessions– Call setup rates in the hundreds per second
• L2TPv3 can be more efficient than l2tpv2
L2TP as Softwire Standard
• L2TPv2 meets IPv6 over IPv4 softwires requirements today
• L2TPv2 is currently used in multiple IPv6 over IPv4 solutions
• L2TPv2 RFC2661 is 99% ready for the IPv4 over IPv6 solution
• L2TPv3 is a superset of L2TPv2, with enhancements in security, scalability and flexibility for future extensions
• L2TPv3 is not far from meeting all softwires requirements
• L2TPv3 RFC3991 automatic fallback to L2TPv2 allows seamless transition from L2TPv2 to L2TPv3
L2TPv2 as the Immediate Solution
• L2TPv2 is currently used in several IPv6 over IPv4 deployments
• Implementations of key components are readily available:– LNSes supporting L2TPv2 acting as tunnel terminator, supporting IPv6 over
PPP (IPv6CP) and DHCPv6 server capabilities or proxy– Standalone DHCPv6 server– RADIUS support for IPv6 prefix delegation attributes– CPEs or home routers supporting L2TPv2, IPv6 over PPP (IPv6CP) and
DHCPv6 client capabilities– Windows (i.e. Longhorn) supporting IPv6 over PPP and L2TPv2 over IPSec
are becoming available in the near future
• The support for IPv4 over IPv6 with L2TPv2 requires the addition of IPv6 transport support for L2TPv2 (minor extension to RFC 2661). Besides that, IPv4 over PPP over L2TPv2 over IPv6 will work as in today’s L2TPv2 over IPv4 solutions
IPv6 over IPv4 Softwire with L2TPv2: Case 1 – CPE as Softwire Initiator
IPv6 o PPP
LNS
DualAF
CPE
L2TPv2 o UDP o IPv4
/64 prefix
/48 prefixDNS, etc
RA
DHCPv6 PD
IPv6CP: capable of /64 interface ID assignment or uniqueness check
/64 prefixesRA
DNS, etcDHCPv4/v6
IPv4
ISP to Dual AF CPE PD and Auto-Config
Dual AF CPE to HostsAuto-Config
IPv6 over IPv4 Softwire with L2TPv2: Case 2 – Router behind CPE as Softwire Initiator
LNS
CPE
/64 prefix
/48 prefixDNS, etc
RA
DHCPv6 PD
IPv6CP: capable of /64 interface ID assignment or uniqueness check
/64 prefixesRA
DNS, etcDHCPv4/v6
IPv4
ISP to Dual AF Router PD and Auto-Config
Dual AF Router to Hosts Auto-Config
Dual AF Router
IPv6 o PPP
L2TPv2 o UDP o IPv4
IPv6 over IPv4 Softwire with L2TPv2: Case 3 – Host as Softwire Initiator
LNS
CPE
/64 prefix
DNS, etcRA
DHCPv4/v6
IPv6CP: capable of /64 interface ID assignment or uniqueness check
IPv4
ISP to Dual AF Host Auto-Config
Dual AF Host
IPv6 o PPP
L2TPv2 o UDP o IPv4
IPv4 over IPv6 Softwire with L2TPv2: Case 1 – CPE as Softwire Initiator
IPv4 o PPP
LNS
L2TPv2 o UDP o IPv6
IPCP: assigns global IPv4 address and DNS, etcPrivate IPv4 addresses and DNS, etc.
DHCP
IPv6DualAF
CPE
ISP to Dual AF CPE IP Assignment and Auto-Config
Dual AF CPE to Hosts IP Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv2: Case 2 – Router behind CPE as Softwire Initiator
LNS
CPE
Dual AF Router
IPv6
IPCP: assigns global IPv4 address and DNS, etcPrivate IPv4 addresses and DNS, etc.
DHCP
ISP to Dual AF Router IP Assignment and Auto-Config
Dual AF Router to Hosts IP Assignment and Auto-Config
IPv4 o PPP
L2TPv2 o UDP o IPv6
IPv4 over IPv6 Softwire with L2TPv2: Case 3 – Host as Softwire Initiator
LNS
CPE
Dual AF Host
IPv6
IPCP: assigns global IPv4 address and DNS, etc
ISP to Dual AF Host IP Assignment and Auto-Config
IPv4 o PPP
L2TPv2 o UDP o IPv6
IPv6 o L2TPv2 o IPv4 Today
• NTT – http://www.ntt.com/release_e/news05/0011/1121.html–
http://www.networkworld.com/news/2005/122205-ntt-ipv6.html
• Point6– draft-toutain-softwire-point6box-00
• Cisco– http://www.cisco.com/en/US/products/ps6553/product
s_data_sheet09186a008011b68d.html
Why move to L2TPv3?
• Cons of L2TPv2 as compared to L2TPv3:
– Weaker Tunnel Authentication mechanism which validates only the header portion of the control messages and covering only SCCRQ, SCCRP and SCCCN message types
– No built-in data channel security. Must be bundled with IPSec to achieve security
– 16-bits session Ids as compared to L2TPv3 32-bits session Ids
Why move to L2TPv3? (Cont.)Cons of L2TPv2 as compared to L2TPv3:
–Tunnel/Session Setup latency:
L2TP: SCCRQ, SCCRP, SCCCN, ICRQ, ICRP, ICCN
PPP LCP
PPP CHAP (per-user authentication is optional)
IPCP
Since L2TPv3 offers the option to tunnel IP frames directly without PPP, using L2TPv3 can eliminate PPP overhead
Why move to L2TPv3? (Cont.) Cons of L2TPv2 as compared to L2TPv3:
• L2TPv2 Data Encapsulation– PPP over L2TPv2 over UDP – 20 Bytes
• L2TPv3 allows further encapsulation optimization by offering the option to run over IP (instead of mandating UDP) and to tunnel IP frames without PPP
UDP (8 bytes)
Flags & Ver Len (opt)
Tunnel Id Session Id
PPP PId & 0xFF03
IPv4 / IPv6
Payload
– Sequencing disabled– Length field present
L2TPv3 for the Future0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
IPv4 or IPv6 Header
Session ID (32 Bits)
Cookie (Up to 64 Bits, Optional)
PayloadPayload
PPPPPP
Frame Frame RelayRelay
EthernetEthernet
ATM (Cell ATM (Cell or Packet)or Packet)
MPLSMPLS
HDLCHDLC
UDP + L2TP Version (Optional)
IPIP
L2TPv3 as Next Phase Softwires Solution
PPP over L2TPv3
• L2TPv3 can provide the same softwires solution as described with PPP over L2TPv2
• Support for PPP tunneling for L2TPv3 – draft-ietf-l2tpext-l2tp-ppp-03.txt
L2TPv3 as Next Phase Softwires Solution
IP over L2TPv3• L2TPv3 also offers a more optimal softwires solution with
its capability to directly tunnel IP frames
• IP Pseudowire support:– draft-ietf-l2tpext-pwe3-ip-01
• IP Pseudowire Type has the following advantages– Not necessary to negotiate PPP at session initiation– Not necessary to include PPP encap in data
• Authentication is available at the tunnel level– Implies one session per tunnel
• New AVPs to provide basic IPCP / IPv6CP Address assignment services are required
L2TPv3 (RFC 3931) Advantages:Encap Optimization
Payload
PPP Pld
IPv4 / IPv6
PPP over L2TPv3 over UDP(Sequencing disabled)
Without optional cookie – 18 bytesWith optional cookie – 26 Bytes
UDP (8 bytes)
Cookie (opt. to 8 bytes)
Session Id
Flags & Ver
IP over L2TPv3 over UDP(Sequencing disabled)
Without optional cookie – 16 BytesWith optional cookie – 24 bytes
IPv4 / IPv6
Payload
UDP (8 bytes)
Cookie (opt. to 8 bytes)
Session Id
Flags & Ver
IP over L2TPv3 over IP(Sequencing disabled)
Without optional cookie – 4 bytesWith optional cookie – 12 Bytes
Session Id
Cookie (opt. to 8 bytes)
IPv4 / IPv6
Payload
IPv6 over IPv4 Softwire with L2TPv3: Case 1 – CPE as Softwire Initiator
IPv6 Payload
LNS
DualAF
CPE
L2TPv3 o IPv4
/64 prefix
/48 prefixDNS, etc
RA
DHCPv6 PD
/64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs
/64 prefixesRA
DNS, etcDHCP
IPv4
ISP to Dual AF CPE PD and Auto-Config
Dual AF CPE to HostsAuto-Config
IPv6 over IPv4 Softwire with L2TPv3: Case 2 – Router behind CPE as Softwire Initiator
LNS
CPE
/64 prefix
/48 prefixDNS, etc
RA
DHCPv6 PD
/64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs
/64 prefixesRA
DNS, etcDHCP
IPv4
ISP to Dual AF Router PD and Auto-Config
Dual AF Router to Hosts Auto-Config
Dual AF Router
IPv6 Payload
L2TPv3 o UDP o IPv4
IPv6 over IPv4 Softwire with L2TPv3: Case 3 – Host as Softwire Initiator
LNS
CPE
/64 prefix
DNS, etcRA
DHCPv4/v6
/64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs
IPv4
ISP to Dual AF Host Auto-Config
Dual AF Host
IPv6 Payload
L2TPv3 o UDP o IPv4
IPv4 over IPv6 Softwire with L2TPv3: Case 1 – CPE as Softwire Initiator
IPv4 Payload
LNS
L2TPv3 o IPv6
IPv4 Address Assignment and DNS via new L2TPv3 AVPs
Private IPv4 addresses and DNS, etc.
DHCP
IPv6DualAF
CPE
ISP to Dual AF CPE IP Assignment and Auto-Config
Dual AF CPE to Hosts IP Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv3: Case 2 – Router behind CPE as Softwire Initiator
LNS
CPE
Dual AF Router
IPv6
IPv4 Address Assignment and DNSvia new L2TPv3 AVPs
Private IPv4 addresses and DNS, etc.
DHCP
ISP to Dual AF Router IP Assignment and Auto-Config
Dual AF Router to Hosts IP Assignment and Auto-Config
IPv4 Payload
L2TPv3 o IPv6
IPv4 over IPv6 Softwire with L2TPv3: Case 3 – Host as Softwire Initiator
LNS
CPE
Dual AF Host
IPv6
IPv4 Address Assignment and DNSvia new L2TPv3 AVPs
ISP to Dual AF Host IP Assignment and Auto-Config
IPv4 Payload
L2TPv3 o IPv6
L2TPv3 Enhanced Security
• Enhanced Control Plane Security– Message Digest is calculated with entire control message– Message Digest is calculated for all control message types
• Data Plane Security – Provides an additional layer of defense for data packets, over
and above ACLs, with the use of a simple cookie
L2TPv3 Security – What is the L2TPv3 “Cookie”?
• The L2TPv3 Cookie is a cryptographically random value, present in each L2TPv3 packet
• Chosen by the receiver, associated with a Session ID, and signaled to the sender
• Cookies in the header must match upon receipt, otherwise the packet is dropped
• Provides an additional layer of security at a very important place: before switching packets out of the core and into the customer premises
• Casts a strategic balance for the SP: Stronger than ACLs, but less complex than IPSec encryption and key negotiation
Session ID (32 Bits)
Cookie (up to 64 Bits)
Summary of L2TPv3 Changes
• Accounting RFC similar to RFC 2867
• MIB RFC similar to RFC 3371
• Definition of AVPs to support basic IPCP and IPv6CP functions
L2TP vs IPsec ESP Tunnel
• L2TP has an in band control plane– Inability to transmit data usually results in
tunnel setup failure– Failures in data transport are usually result
in protocol “keep alive” failures– L2TPv3 VCCV can detect failures at the
data switching level
• L2TP infrastructure already exists for large scale data transport
L2TP vs GRE
• GRE doesn’t specify a control plane– The control plane must be provided by
some other protocol– An “in band” control plane is not possible
