Softwires L2TPv2 Hubs & Spokes for Phase I

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Enabling IPv6 in Corporate Intranet Networks
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Layer 2 Tunneling Protocol (L2TP)
IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,
W. Mark Townsley Pseudowires and L2TPv3 W. Mark Townsley
IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.
Softwires Hub & Spoke using L2TPv3
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.
24/10/ Point6 Pôle de compétences IPv6 en Bretagne Avec le soutien de : Softwires interim meeting L2TP tunnels Laurent Toutain
A Model of IPv6 Internet Access Service via L2TPv2 Shin Miyakawa NTT Communications 2006/7/10 IETF66th.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
11 KDDI Trial Hub & Spoke Shu Yamamoto Carl Williams Hidetoshi Yokota KDDI R&D Labs.
1 Shin Miyakawa, Ph.D (宮川 晋) Sr. Research Manager, IPv6 Group Innovative IP Architecture Center NTT Communications IPv6/v4 dual stack.
Chapter 13 – Network Security
Softwires Hub & Spoke with L2TP
Softwires L2TPv2 Hubs & Spokes for Phase I Maria Alice Dos Santos, Cisco Jean Francois Tremblay, Hexago Bill Storer, Cisco Jordi Palet, Consulintel Carl.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
1 UDP Encapsulation of 6RD IETF 78 Maastricht 2010 July 30.
Softwire IETF 78. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Softwire wg Alain Durand, Comcast David Ward, Cisco.
Softwires IETF 65. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and.
L2TP Chapter 7. Motivation Sometimes we want to tunnel one protocol over another protocol –Maybe the network does not understand how to forward that protocol.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.
MPLS over L2TPv3 Encapsulation IETF VersionIHLTOSTotal length IdentificationFlagsFragment offset TTL Protocol ==
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Softwire Security Update Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota 67 IETF, San Diego.
Jonathan Brewer Technical Director Araneo Wireless Solutions Layer 3 Tunnels for Broadband Delivery.
Virtual Private Networks
Virtual Private Networks and IPSec
IPSec Detailed Description and VPN
IPSecurity.
<draft-ohba-pana-framework-00.txt>
Virtual Private Networks
Virtual Private Network (VPN)
Open issues with PANA Protocol
Microsoft Windows NT 4.0 Authentication Protocols
Encryption and Network Security
Internet and Intranet Fundamentals
CSE 4905 IPsec II.
Alain Durand, Comcast David Ward, Cisco
Softwire Mesh Solution Framework
Carlos Pignataro Bruno Stevant Jean-Francois Tremblay Bill Storer
Softwires Hub & Spoke using L2TPv3
Agenda Agreement on the problem statement
Softwire Security Update
Virtual Private Networks
Virtual Private Network (VPN)
Server-to-Client Remote Access and DirectAccess
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Virtual Private Networks (VPN)
Virtual Private Network zswu
Presentation transcript:

Softwires L2TPv2 Hubs & Spokes for Phase I Maria Alice Dos Santos, Cisco Jean Francois Tremblay, Hexago Bill Storer, Cisco Jordi Palet, Consulintel Carl Williams, KDDI and others 65th IETF - Dallas, TX, USA

L2TPv2 VS TSP At Softwires interim meeting in Hong Kong, multiple protocols (ATS6, TSP, L2TPv2) have been proposed as the Phase I Hubs & Spokes Softwire solution At interim meeting, non-technical requirement evaluation for the proposed protocols was conducted: The two leading protocols are L2TPv2 and TSP L2TPv2 average score is 97 (rounded) TSP average score is 86 (rounded) Technical comparison between L2TPv2 and TSP has been conducted and discussed on mailing list WG selected L2TPv2 as the Phase I Hubs & Spokes solution based on the comparison results of the following categories

Standardization Status L2TPv2 (RFC2661) has been standardized since 1999 RFC 2661 - Layer Two Tunneling Protocol (PS) RFC 2867 - RADIUS Accounting Modifications for Tunnel Protocol Support (Inf.) RFC 3371 - Layer Two Tunneling Protocol "L2TP" Management Information Base (PS) RFC 3193 - Securing L2TP using IPsec (PS) RFC 3948 - UDP Encapsulation of IPsec ESP Packet (PS) RFC 3145 - L2TP Disconnect Cause Information (PS) RFC 3308 - Layer Two Tunneling Protocol Differentiated Services Extension (PS) TSP has been sent to the RFC editor as individual submission draft-vg-ngtrans-tsp-00.txt submitted in 2001 draft-blanchet-v6ops-tunnelbroker-tsp-03.txt

Interoperability L2TPv2 protocol has been proven by numerous independent / interoperable implementations Major Router Vendors Cisco, Juniper, Redback, Nortel, Laurel (with IPv6 support) Linux/POSIX-based OSs (GPL) Sourceforge.net, Roaring Penguin, etc CPE Implementations Linksys v6 o v4 clients have been implemented by Point6 and NTT (GPL-based) Native Microsoft Windows Client v4 o v4 client supported on all Windows v6 o v4 client supported on Vista / Longhorn (PPPv6, DHCPv6 included, to be released end of 2006) Downloadable Windows XP Client v6 o v4 client by NTT, Trumpet v6 o v4 and v4 o v6 client by SixXs (to be released in 2 months) Source Code Availability GPL: Roaring Penguin, etc Commercial Windows / Linux / Mac implementations: Paravirtual and others One TSP server implementation exists while TSP client has been implemented by multiple entities: TSP Server Hexago TSP CPE Client Draytek, Panasonic, NEC (GPL-based) Independent Implementations ENST, University of Southampton, SixXs (Windows and Unix)

Scalability L2TPv2 scalability has been proven in large scale commercial VPN deployments: L2TPv2 is proven to be scalable to the millions of subscribers in multiple IPv4 o IPv4 VPN deployments Upper Tens of thousands of concurrent L2TPv2 sessions on a single node (or "LNS") Call setup rates in the hundreds per second TSP scalability has yet to be demonstrated in multiple-server commercial settings: Freenet6 has 10,000 tunnels now on single server Have tested 50,000 tunnels on one broker

Deployment Experience L2TPv2 Deployment Experience L2TPv2 is widely used in large scale IPv4 o IPv4 VPN commercial deployments , with AAA, Accounting and MIB well integrated in the solutions Cases in point being NTT, BT, AOL (Millions tunnels each) L2TPv2 is used in IPv6 o IPv4 deployments: Point6 NTT commercial IPv6 tunnel service TSP deployment Experience: Freenet6 TSP commercial IPv6 over IPv4 deployment since 2003 (10K tunnels) KDDI TSP trial IPv4 over IPv6 deployment (1000 tunnels) AT&T and Wanadoo trials, no numbers. NTT and DoD have on-going trials

OAM L2TPv2 TSP Standardized Accounting and MIB: RFC 2867 “RADIUS Accounting extension for tunnel” (Inf.) RFC 3371 “L2TP MIB” (PS) RFC 3145 “L2TP Disconnect Cause Information” (PS) TSP has no standardized Accounting and MIB L2TPv2 uses in-band signaling (control plane in sync with data connectivity status) L2TPv2 control plane stays for the life of tunnel (tunnel maintenance supported after setup phase) TSP uses in-band signaling also TSP control plane is ephemeral; goes away after tunnel setup phase (i.e. TSP server has to tear down / re-establish tunnel if keepalive interval needs adjustment) L2TPv2 High-availability draft-ietf-l2tpext-failover-06.txt - "Fail Over extensions for L2TP "failover“

Authentication/Security L2TPv2 TSP Standardized Full Tunnel Protection with IPsec (L2TPv2 o IPsec) RFC 3193 “Securing L2TP using IPsec” RFC 3948 “UDP Encapsulation of IPsec ESP Packets No security or encryption draft or standard specified for TSP L2TPv2 supports a built-in mutual tunnel authentication L2TPv2 inherits PPP per-user authentication TSP supports mutual authentication Data encapsulated in session header with tunnel / session Ids (provides better security than IP-in-IP protocol 41 encapsulation) TSP uses IP-in-IP (protocol 41) encapsulation, “easy to spoof” (RPF check is to be used)

L2TPv2 Phase I Hubs & Spokes Softwire Solution L2TPv2 Hubs & Spokes Softwire framework draft to be delivered (LC) in July 2006 Document / recommend / define L2TPv2 Hubs & Spokes Softwire solution implementation specifics Examples of topics to be covered by framework draft: (credits to Jean Francois Tremblay, Jordi Palet, Ole Troan for initial list of topics) How L2TPv2 satisfies H&S Softwire requirements Deployment scenarios with L2TPv2 and other components involved in the H&S solution Standardization status of L2TPv2 and other components involved in H&S solution Provisioning models (Addresses, Prefix Delegation, DNS, etc) L2TPv2 tunnel setup / maintenance specifics in H&S solution AAA integration / infrastructure and statistics Security analysis for L2TPv2 H&S Implementation Status others?

IPv6 over IPv4 Softwire with L2TPv2: Case 1 – Host CPE as Softwire Initiator LNS LAC IPv4 Dual AF Host CPE IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA DNS, etc DHCPv4/v6 ISP to Dual AF Host CPE Auto-Config

ISP to Dual AF CPE PD and Auto-Config IPv6 over IPv4 Softwire with L2TPv2: Case 2 – CPE as Softwire Initiator LNS LAC Dual AF CPE IPv4 IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA /48 prefix DNS, etc /64 prefixes DHCPv6 PD RA DNS, etc DHCPv4/v6 ISP to Dual AF CPE PD and Auto-Config Dual AF CPE to Hosts Auto-Config

IPv6 over IPv4 Softwire with L2TPv2: Case 3 – Host behind CPE as Softwire Initiator LNS IPv4 CPE LAC Dual AF Host IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA DNS, etc DHCPv4/v6 ISP to Dual AF Host Auto-Config

IPv6 over IPv4 Softwire with L2TPv2: Case 4 – Router behind CPE as Softwire Initiator LNS IPv4 CPE LAC Dual AF Router IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA /48 prefix DNS, etc /64 prefixes DHCPv6 PD RA DNS, etc DHCPv4/v6 ISP to Dual AF Router PD and Auto-Config Dual AF Router to Hosts Auto-Config

ISP to Dual AF Host IP Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv2: Case 1 – Host CPE as Softwire Initiator LNS LAC IPv6 Dual AF Host CPE IPv4 o PPP L2TPv2 o UDP o IPv6 IPCP: assigns global IPv4 address and DNS, etc ISP to Dual AF Host IP Assignment and Auto-Config

IPv4 over IPv6 Softwire with L2TPv2: Case 2 – CPE as Softwire Initiator LNS LAC Dual AF CPE IPv6 IPv4 o PPP L2TPv2 o UDP o IPv6 Private IPv4 addresses and DNS, etc. IPCP: assigns global IPv4 address and DNS, etc DHCP ISP to Dual AF CPE IP Assignment and Auto-Config Dual AF CPE to Hosts IP Assignment and Auto-Config

ISP to Dual AF Host IP Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv2: Case 3 – Host behind CPE as Softwire Initiator LNS IPv6 CPE LAC Dual AF Host IPv4 o PPP L2TPv2 o UDP o IPv6 IPCP: assigns global IPv4 address and DNS, etc ISP to Dual AF Host IP Assignment and Auto-Config

IPv4 over IPv6 Softwire with L2TPv2: Case 4 – Router behind CPE as Softwire Initiator LNS IPv6 CPE LAC Dual AF Router IPv4 o PPP L2TPv2 o UDP o IPv6 Private IPv4 addresses and DNS, etc. IPCP: assigns global IPv4 address and DNS, etc DHCP ISP to Dual AF Router IP Assignment and Auto-Config Dual AF Router to Hosts IP Assignment and Auto-Config

IPv6 o L2TPv2 o IPv4 Today NTT Point6 Cisco http://www.ntt.com/release_e/news05/0011/1121.html http://www.networkworld.com/news/2005/122205-ntt-ipv6.html Point6 draft-toutain-softwire-point6box-00 Cisco http://www.cisco.com/en/US/products/ps6553/products_data_sheet09186a008011b68d.html

L2TPv3 proposed as Phase II Hubs & Spokes Softwire Standard L2TPv3 is a superset of L2TPv2, with enhancements in security, scalability and flexibility for future extensions L2TPv3 RFC3991 automatic fallback to L2TPv2 allows seamless transition from L2TPv2 to L2TPv3 (Backward compatibility is key requirement for Phase II) L2TPv3 isn’t as widely implemented as L2TPv2

L2TPv3 for the Future IPv4 or IPv6 Header Payload PPP HDLC Frame Relay 1 2 3 4 5 6 7 8 9 IPv4 or IPv6 Header HDLC Frame Relay UDP + L2TP Version (Optional) Session ID (32 Bits) Ethernet Cookie (Up to 64 Bits, Optional) Payload ATM (Cell or Packet) MPLS IP

Why move to L2TPv3? Improvements with L2TPv3: Stronger Tunnel Authentication mechanism covering all control messages rather than just portions at tunnel setup Built-in lightweight data plane security. Still works with IPsec transport mode, but the built-in cryptographically random cookie gives extra protection against blind insertion attacks More efficient header encapsulation 32-bit flat session ID, more efficient lookup in forwarding plane Runs over either IP or UDP L2TPv3 can tunnel IP directly without PPP Reduce tunnel/session setup time Reduce data encap size

Phase II Hubs & Spokes Softwires with L2TPv3 L2TPv3 Hubs & Spokes Softwire framework draft Investigation starts in March (in background of Phase I work) Progress will be presented in post-July 2006 Interim meeting Framework draft to be delivered (LC) in November 2006 Document / recommend / define L2TPv3 Hubs & Spokes Softwire solution implementation specifics PPP over L2TPv3 IP over L2TPv3 Additional potential items for Phase II: DHCP Integration (as an AAA mechanism in addition to RADIUS) Softwire Concentrator Auto Discovery IP over L2TPv3 solution: Investigate solution without PPP NAT Discovery Mobility and Nomadicity

To be continued...

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.