Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

PPT Version

advertisement 
Softwires
Hub & Spoke with L2TP
Maria Alice Dos Santos, Cisco
Bill Storer, Cisco
Satisfying Softwires Requirements with
L2TP
• There are 2 versions of L2TP:
– L2TPv2 (RFC 2661)
– L2TPv3 (RFC 3931)
• Both versions can satisfy the Softwires
requirements with some changes
– For L2TPv2 the changes are very small
– For L2TPv3 the changes are larger but
provide extra function
L2TP and NAT
• L2TP supports UDP encapsulation
– For L2TPv2, UDP encapsulation is
mandatory
– For L2TPv3 UDP encapsulation is
optional
• UDP encapsulation allows simple
traversal of NAT
L2TP and Security
• L2TP supports tunnel authentication
– Can authenticate the host initiating the tunnel
• L2TP supports PPP encapsulation
– Can authenticate the PPP user within the tunnel
• L2TPv3 offers data channel security against
malicious data insertion by requiring
transmission and validation of a variable
length cookie by the peers
L2TP and Management
• L2TP provides a tunnel keep alive
mechanism
• L2TPv2 has accounting and MIB support
– RADIUS Accounting extension for tunnel (RFC
2867)
– L2TPv2 MIB RFC 3371
• L2TPv3 has VCCV support
– Provides diagnostic and fault detection
capabilities at the session level
– draft-ietf-pwe3-vccv-07
L2TP and Multicast
• PIM or IGMP messages pass through
the L2TP tunnel transparently
• At the Hub router, each spoke appears
as a PPP connection
• Multicast environment here is identical
to that of an edge router terminating
large numbers of PPP connections
L2TP and IPsec
• RFC 3193 - Securing L2TP using IPsec
• RFC 3948 - UDP Encapsulation of IPsec ESP Packets
• ESP must be supported
• Transport mode must be supported
A typical L2TP/IPsec frame is as follows:
IP | ESP header | UDP | L2TP | PPP | ESP trailer | Auth trailer
L2TP and Scalability
• L2TPv2 is widely used to provide large scale
IPv4 services today.
– Case in point being NTT
• Routers currently support high volume L2TPv2
– Tens of thousands of concurrent L2TPv2 sessions
– Call setup rates in the hundreds per second
• L2TPv3 can be more efficient than l2tpv2
L2TP as Softwire Standard
• L2TPv2 meets IPv6 over IPv4 softwires requirements today
• L2TPv2 is currently used in multiple IPv6 over IPv4 solutions
• L2TPv2 RFC2661 is 99% ready for the IPv4 over IPv6 solution
• L2TPv3 is a superset of L2TPv2, with enhancements in security,
scalability and flexibility for future extensions
• L2TPv3 is not far from meeting all softwires requirements
• L2TPv3 RFC3991 automatic fallback to L2TPv2 allows seamless
transition from L2TPv2 to L2TPv3
L2TPv2 as the Immediate Solution
•
L2TPv2 is currently used in several IPv6 over IPv4 deployments
•
Implementations of key components are readily available:
– LNSes supporting L2TPv2 acting as tunnel terminator, supporting IPv6
over PPP (IPv6CP) and DHCPv6 server capabilities or proxy
– Standalone DHCPv6 server
– RADIUS support for IPv6 prefix delegation attributes
– CPEs or home routers supporting L2TPv2, IPv6 over PPP (IPv6CP) and
DHCPv6 client capabilities
– Windows (i.e. Longhorn) supporting IPv6 over PPP and L2TPv2 over IPSec
are becoming available in the near future
•
The support for IPv4 over IPv6 with L2TPv2 requires the addition of
IPv6 transport support for L2TPv2 (minor extension to RFC 2661).
Besides that, IPv4 over PPP over L2TPv2 over IPv6 will work as in
today’s L2TPv2 over IPv4 solutions
IPv6 over IPv4 Softwire with L2TPv2:
Case 1 – CPE as Softwire Initiator
LNS
IPv4
Dual
AF
CPE
IPv6 o PPP
L2TPv2 o UDP o IPv4
IPv6CP: capable of /64 interface ID assignment or uniqueness check
RA
/64 prefix
DHCPv6 PD
/48 prefix
DNS, etc
RA
DHCPv4/v6
ISP to Dual AF CPE PD and
Auto-Config
/64 prefixes
DNS, etc
Dual AF CPE to Hosts
Auto-Config
IPv6 over IPv4 Softwire with L2TPv2:
Case 2 – Router behind CPE as Softwire Initiator
LNS
IPv4
CPE
Dual AF Router
IPv6 o PPP
L2TPv2 o UDP o IPv4
IPv6CP: capable of /64 interface ID assignment or uniqueness check
RA
/64 prefix
DHCPv6 PD
/48 prefix
DNS, etc
RA
DHCPv4/v6
ISP to Dual AF Router PD and
Auto-Config
/64 prefixes
DNS, etc
Dual AF Router to Hosts AutoConfig
IPv6 over IPv4 Softwire with L2TPv2:
Case 3 – Host as Softwire Initiator
LNS
IPv4
CPE
Dual AF Host
IPv6 o PPP
L2TPv2 o UDP o IPv4
IPv6CP: capable of /64 interface ID assignment or uniqueness check
/64 prefix
RA
DNS, etc
DHCPv4/v6
ISP to Dual AF Host
Auto-Config
IPv4 over IPv6 Softwire with L2TPv2:
Case 1 – CPE as Softwire Initiator
LNS
IPv6
Dual
AF
CPE
IPv4 o PPP
L2TPv2 o UDP o IPv6
IPCP: assigns global IPv4 address and DNS, etc
ISP to Dual AF CPE IP
Assignment and Auto-Config
DHCP
Private IPv4
addresses and
DNS, etc.
Dual AF CPE to Hosts IP
Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv2:
Case 2 – Router behind CPE as Softwire Initiator
LNS
IPv6
CPE
Dual AF Router
IPv4 o PPP
L2TPv2 o UDP o IPv6
IPCP: assigns global IPv4 address and DNS, etc
ISP to Dual AF Router IP
Assignment and Auto-Config
DHCP
Private IPv4
addresses and
DNS, etc.
Dual AF Router to Hosts IP
Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv2:
Case 3 – Host as Softwire Initiator
LNS
IPv6
CPE
Dual AF Host
IPv4 o PPP
L2TPv2 o UDP o IPv6
IPCP: assigns global IPv4 address and DNS, etc
ISP to Dual AF Host IP
Assignment and Auto-Config
IPv6 o L2TPv2 o IPv4 Today
• NTT
– http://www.ntt.com/release_e/news05/0011/1121.ht
ml
– http://www.networkworld.com/news/2005/122205ntt-ipv6.html
• Point6
– draft-toutain-softwire-point6box-00
• Cisco
– http://www.cisco.com/en/US/products/ps6553/pro
ducts_data_sheet09186a008011b68d.html
Why move to L2TPv3?
• Cons of L2TPv2 as compared to L2TPv3:
– Weaker Tunnel Authentication mechanism which validates
only the header portion of the control messages and
covering only SCCRQ, SCCRP and SCCCN message types
– No built-in data channel security. Must be bundled with
IPSec to achieve security
– 16-bits session Ids as compared to L2TPv3 32-bits session
Ids
Why move to L2TPv3? (Cont.)
Cons of L2TPv2 as compared to L2TPv3:
–Tunnel/Session Setup latency:
L2TP: SCCRQ, SCCRP, SCCCN, ICRQ, ICRP, ICCN
PPP LCP
PPP CHAP (per-user authentication is optional)
IPCP
Since L2TPv3 offers the option to tunnel IP
frames directly without PPP, using L2TPv3
can eliminate PPP overhead
Why move to L2TPv3? (Cont.)
Cons of L2TPv2 as compared to L2TPv3:
• L2TPv2 Data Encapsulation
– PPP over L2TPv2 over UDP – 20 Bytes
IPv4 / IPv6
UDP (8 bytes)
Flags & Ver
Len (opt)
Tunnel Id
Session Id
– Sequencing disabled
– Length field present
PPP PId & 0xFF03
Payload
• L2TPv3 allows further encapsulation optimization by offering
the option to run over IP (instead of mandating UDP) and to
tunnel IP frames without PPP
L2TPv3 for the Future
0 1 2 3 4 5 6 7 8 9 01 2 3 4 5 6 7 8 9 01 2 3 4 5 6 7 8 9 0 1
IPv4 or IPv6 Header
UDP + L2TP Version (Optional)
Cookie (Up to 64 Bits, Optional)
PPP
HDLC
Frame
Relay
Ethernet
Session ID (32 Bits)
Payload
ATM (Cell
or Packet)
MPLS
IP
L2TPv3 as Next Phase Softwires Solution
PPP over L2TPv3
• L2TPv3 can provide the same softwires solution
as described with PPP over L2TPv2
• Support for PPP tunneling for L2TPv3
–
draft-ietf-l2tpext-l2tp-ppp-03.txt
L2TPv3 as Next Phase Softwires Solution
IP over L2TPv3
• L2TPv3 also offers a more optimal softwires solution with
its capability to directly tunnel IP frames
• IP Pseudowire support:
– draft-ietf-l2tpext-pwe3-ip-01
• IP Pseudowire Type has the following advantages
– Not necessary to negotiate PPP at session initiation
– Not necessary to include PPP encap in data
• Authentication is available at the tunnel level
– Implies one session per tunnel
• New AVPs to provide basic IPCP / IPv6CP Address
assignment services are required
L2TPv3 (RFC 3931) Advantages:
Encap Optimization
PPP over L2TPv3 over UDP
IP over L2TPv3 over UDP
IP over L2TPv3 over IP
(Sequencing disabled)
Without optional cookie – 18 bytes
With optional cookie – 26 Bytes
(Sequencing disabled)
Without optional cookie – 16 Bytes
With optional cookie – 24 bytes
(Sequencing disabled)
Without optional cookie – 4 bytes
With optional cookie – 12 Bytes
IPv4 / IPv6
IPv4 / IPv6
IPv4 / IPv6
UDP (8 bytes)
UDP (8 bytes)
Session Id
Flags & Ver
Flags & Ver
Session Id
Session Id
Cookie (opt. to 8 bytes)
Payload
Cookie (opt. to 8 bytes)
PPP Pld
Payload
Cookie (opt. to 8 bytes)
Payload
IPv6 over IPv4 Softwire with L2TPv3:
Case 1 – CPE as Softwire Initiator
LNS
IPv4
Dual
AF
CPE
IPv6 Payload
L2TPv3 o IPv4
/64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs
RA
/64 prefix
DHCPv6 PD
/48 prefix
DNS, etc
RA
DHCP
ISP to Dual AF CPE PD and
Auto-Config
/64 prefixes
DNS, etc
Dual AF CPE to Hosts
Auto-Config
IPv6 over IPv4 Softwire with L2TPv3:
Case 2 – Router behind CPE as Softwire Initiator
LNS
IPv4
CPE
Dual AF Router
IPv6 Payload
L2TPv3 o UDP o IPv4
/64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs
RA
DHCPv6 PD
/64 prefix
/48 prefix
DNS, etc
RA
DHCP
ISP to Dual AF Router PD and
Auto-Config
/64 prefixes
DNS, etc
Dual AF Router to Hosts AutoConfig
IPv6 over IPv4 Softwire with L2TPv3:
Case 3 – Host as Softwire Initiator
LNS
IPv4
CPE
Dual AF Host
IPv6 Payload
L2TPv3 o UDP o IPv4
/64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs
/64 prefix
RA
DHCPv4/v6
ISP to Dual AF Host
Auto-Config
DNS, etc
IPv4 over IPv6 Softwire with L2TPv3:
Case 1 – CPE as Softwire Initiator
LNS
IPv6
Dual
AF
CPE
IPv4 Payload
L2TPv3 o IPv6
IPv4 Address Assignment and DNS
via new L2TPv3 AVPs
ISP to Dual AF CPE IP
Assignment and Auto-Config
DHCP
Private IPv4
addresses and
DNS, etc.
Dual AF CPE to Hosts IP
Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv3:
Case 2 – Router behind CPE as Softwire Initiator
LNS
IPv6
CPE
Dual AF Router
IPv4 Payload
L2TPv3 o IPv6
IPv4 Address Assignment and DNS
via new L2TPv3 AVPs
ISP to Dual AF Router IP
Assignment and Auto-Config
DHCP
Private IPv4
addresses and
DNS, etc.
Dual AF Router to Hosts IP
Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv3:
Case 3 – Host as Softwire Initiator
LNS
IPv6
CPE
Dual AF Host
IPv4 Payload
L2TPv3 o IPv6
IPv4 Address Assignment and DNS
via new L2TPv3 AVPs
ISP to Dual AF Host IP
Assignment and Auto-Config
L2TPv3 Enhanced Security
• Enhanced Control Plane Security
– Message Digest is calculated with entire control message
– Message Digest is calculated for all control message types
• Data Plane Security
– Provides an additional layer of defense for data packets, over
and above ACLs, with the use of a simple cookie
L2TPv3 Security – What is the
L2TPv3 “Cookie”?
Session ID (32 Bits)
Cookie (up to 64 Bits)
• The L2TPv3 Cookie is a cryptographically random value, present in
each L2TPv3 packet
• Chosen by the receiver, associated with a Session ID, and signaled
to the sender
• Cookies in the header must match upon receipt, otherwise the
packet is dropped
• Provides an additional layer of security at a very important place:
before switching packets out of the core and into the customer
premises
• Casts a strategic balance for the SP: Stronger than ACLs, but less
complex than IPSec encryption and key negotiation
Summary of L2TPv3 Changes
• Accounting RFC similar to RFC 2867
• MIB RFC similar to RFC 3371
• Definition of AVPs to support basic
IPCP and IPv6CP functions
L2TP vs IPsec ESP Tunnel
• L2TP has an in band control plane
– Inability to transmit data usually results in
tunnel setup failure
– Failures in data transport are usually result
in protocol “keep alive” failures
– L2TPv3 VCCV can detect failures at the
data switching level
• L2TP infrastructure already exists for
large scale data transport
L2TP vs GRE
• GRE doesn’t specify a control plane
– The control plane must be provided by
some other protocol
– An “in band” control plane is not possible
Related documents
bsys 1000 FMGT 1C ELLA HUANG
bsys 1000 FMGT 1C ELLA HUANG
IPv4 and IPv6
IPv4 and IPv6
IPv4 to IPv6 Migration strategies
IPv4 to IPv6 Migration strategies
Assignment - Staffordshire University
Assignment - Staffordshire University
Latin American and Caribbean Internet Addresses Registry
Latin American and Caribbean Internet Addresses Registry
IP Notes
IP Notes
Download
advertisement