Layer 2 Tunneling Protocol (L2TP)

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Labcourse “Routerlab”
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,
Module 5: Configuring Access for Remote Clients and Networks.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)
Internet Security CSCE 813 Network Access Layer Security Protocols.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Virtual Private Networks (VPN)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Virtual Private Networking Karlene R. Samuels COSC513.
Internet Security Seminar Class CS591 Presentation Topic: VPN.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
Remote Networking Architectures
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Virtual Private Networks (VPN’s)
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.
Virtual Private Network
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Understanding VPN Concepts Virtual Private Network (VPN) enables computers to –Communicate securely over insecure channels –Exchange private encrypted.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
1 L2TP OVERVIEW 18-May Agenda VPN Tunneling PPTP L2F LT2P.
Windows Server 2008 Chapter 9 Last Update
Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.
1. Collision domains are unsecure 2. The employees often need to remote access to corporate network resources  The Internet traffic is much more vulnerable.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
WAN Technologies Dial-up modem connections
Chapter 13 – Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Point to Point Protocol
Access Protocols PPP vs. DHCP Chapter 5. Overview PPP DHCP User identities Assignment of IP addresses Assignment of other parameters.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Point-to-Point Access: PPP PPP Between Routers  Used for Point-to-Point Connections only  Used as data link control (encapsulates network layer.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.
Virtual Private Networks (VPN) Chapters 10, 11, 12.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
L2TP Chapter 7. Motivation Sometimes we want to tunnel one protocol over another protocol –Maybe the network does not understand how to forward that protocol.
Virtual Private Network. VPN In the most basic definition, VPN is a connection which allows 2 computers or networks to communicate with each other across.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
Remote Access and Long-Distance Communications. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Typical Telephone.
Mar 27, 2000IETF 47 - Pyda Srisuresh1 Secure Remote Access with L2TP Pyda Srisuresh.
VIRTUAL PRIVATE NETWORKS Lab#9. 2 Virtual Private Networks (VPNs)  Institutions often want private networks for security.  Costly! Separate routers,
Virtual Private Network Wo Yan Lam. Overview What is Virtual Private Network Different types of VPN –Remote-Access VPN –Site-to-site VPN Security features.
Virtual Private Network Technology Nikki London COSC 352 March 2, 2010.
Scaling and Wholesale Computer Networks 2007 Week 7 Lecture 1 by Donald Neal.
Defining Network Infrastructure and Network Security Lesson 8.
Virtual Private Networks
Virtual Private Networks
Virtual Private Network (VPN)
Microsoft Windows NT 4.0 Authentication Protocols
Virtual Private Networks (VPN)
IPSec VPN Chapter 13 of Malik.
Virtual Private Network (VPN)
PPPoE Internet Point to Point Protocol over Ethernet
Virtual Private Networks (VPN)
Topic 12: Virtual Private Networks
Presentation transcript:

Layer 2 Tunneling Protocol (L2TP) An example of network layer VPN: use IP packets to encapsulate Layer 2 frames Previous RFC (v2) RFC2661 Layer Two Tunneling Protocol L2TP W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, B. Palter. August 1999 (PROPOSED STANDARD) A standard method for tunneling Point-to-Point Protocol (PPP) [RFC1661] sessions Note: L2TP has since been adopted for tunneling a number of other L2 protocols (e.g., Ethernet, Frame Relay, etc).  L2TPv3 [RFC3931] T. A. Yang Network Security

Point-to-Point Protocol (PPP [RFC1661]) PPP defines an encapsulation mechanism for transporting multiprotocol packets across layer 2 (L2) point-to-point links. PPP relies on the Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. It has a family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. Typically, a user obtains a L2 connection to a Network Access Server (NAS) using one of a number of techniques (e.g., dialup POTS, ISDN, ADSL, etc.) and then runs PPP over that connection. Example: A customer uses a dialup modem or a DSL line to connect to the ISP or the company’s modem pool. Dial client (PPP peer)  PPP  NAS (e.g., ISP) In such a configuration, the L2 termination point and PPP session endpoint reside on the same physical device (i.e., the NAS). T. A. Yang Network Security

Layer 2 Tunneling Protocol Types of L2TP Tunnels Compulsory L2TP Tunneling The client is completely unaware of the presence of an L2TP connection. The L2TP Access Concentrator (LAC) is aware of L2TP. Figure 12-3: (client)  PPP + Data  (LAC)  L2TP + Data  (LNS) LAC (L2TP Access Concentrator) & LNS (L2TP Network Server): The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. (http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol) T. A. Yang Network Security

Layer 2 Tunneling Protocol Types of L2TP Tunnels (cont.) Voluntary L2TP Tunneling The client is aware of the presence of an L2TP connection. The LAC is unaware of L2TP. Figure 12-4: (client)  PPP + L2TP + Data  (LAC)  L2TP + Data  (LNS) LAC (L2TP Access Concentrator) & LNS (L2TP Network Server): The LAC is the initiator of the tunnel while the LNS is the server, which waits for new tunnels. (http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol) T. A. Yang Network Security

Layer 2 Tunneling Protocol (cont.) L2TP L2TP extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched network (PSN). With L2TP, a user has an L2 connection to an L2TP access concentrator (LAC, e.g., modem bank, ADSL DSLAM, etc.), and the concentrator then tunnels individual PPP frames to the L2TP Network Server (LNS). Dial client (PPP peer)  PPP  LAC  L2TP tunnel  LNS This allows the actual processing of PPP packets to be separated from the termination of the L2 circuit. T. A. Yang Network Security

Layer 2 Tunneling Protocol (cont.) A typical L2TP scenario (from RFC2661) T. A. Yang Network Security

Layer 2 Tunneling Protocol (cont.) RFC3931 Layer Two Tunneling Protocol - Version 3 (L2TPv3) J. Lau, Ed., M. Townsley, Ed., I. Goyret, Ed. March 2005 (PROPOSED STANDARD) L2TPv3 defines the base control protocol and encapsulation for tunneling multiple Layer 2 connections between two IP nodes. L2TPv3 consists of the control protocol for dynamic creation, maintenance, and teardown of L2TP sessions, and the L2TP data encapsulation to multiplex and demultiplex L2 data streams between two L2TP nodes across an IP network. T. A. Yang Network Security

Layer 2 Tunneling Protocol (cont.) L2TP (according to TheFreeDictionary, http://computing-dictionary.thefreedictionary.com/L2TP) A protocol from the IETF that allows a PPP session to travel over multiple links and networks. (Note: a limitation of L2TPv2) L2TP is used to allow remote users access to the corporate network. PPP is used to encapsulate IP packets from the user's PC to the ISP, and L2TP extends that session across the Internet. L2TP was derived from Microsoft's Point-to-Point Tunneling Protocol (PPTP) and Cisco's Layer 2 Forwarding (L2F) technology. T. A. Yang Network Security

Layer 2 Tunneling Protocol (cont.) From Access Concentrator to Network Server The "L2TP Access Concentrator" (LAC) encapsulates PPP frames with L2TP headers and sends them over the Internet as UDP packets (or over an ATM, frame relay or X.25 network). At the other end, the "L2TP Network Server" (LNS) terminates the PPP session and hands the IP packets to the LAN. L2TP software can also be run in the user's PC. Carriers also use L2TP to offer remote points of presence (POPs) to smaller ISPs. Users in remote locations dial into the carrier's local modem pool, and the carrier's LAC forwards L2TP traffic to the ISP's LNS. user  original IP packet (p)  PPP+p  LAC  L2TP+PPP+p  LNS L2TP and IPsec L2TP does not include encryption (as does PPTP), but is often used with IPsec in order to provide virtual private network (VPN) connections from remote users to the corporate LAN. T. A. Yang Network Security

L2TP Operations Assumptions: Compulsory tunneling The Procedure: The Client initiates a PPP connection to the LAC. The LAC does LCP negotiation with the client, and challenges the client for authentication credentials. The client supplies the credentials (such as user name, domain name, password). The LAC uses the domain name to ascertain which LNS it needs to contact (in the case of multiple domains). The LAC begins establishing an L2TP tunnel with the LNS. Two Stages of L2TP Tunnel Setup: Set up a control session between the LAC and the LNS. Set up the actual L2TP tunnel for passing the data (aka. ‘creating the session’) Notes: Between a pair of LAC and LNS, there may exist multiple tunnels. Across a single L2TP tunnel, there may exist multiple sessions. * LCP negotiation: Short for Link Control Protocol, a protocol that is part of the PPP. In PPP communications, both the sending and receiving devices send out LCP packets to determine specific information that will be required for the data transmission. The LCP checks the identity of the linked device and either accepts or rejects the peer device, determines the acceptable packet size for transmission, searches for errors in configuration and can terminate the link if the parameters are not satisfied. Data cannot be transmitted over the network until the LCP packet determines that the link is acceptable. T. A. Yang Network Security

L2TP Tunnel Setup (from RFC2661) T. A. Yang Network Security

L2TP Operations Control Connection Establishment Securing the peer’s identity, identifying the peer’s L2TP version, framing, etc. LAC  SCCRQ (start-control-connection-request)  LNS LAC  SCCRP (start-control-connection-reply  LNS LAC  SCCN (start-control-connection-connected  LNS -------------------------------------------------------------------------------------- LAC  ZLB ACK  LNS The ZLB ACK is sent if there are no further messages waiting in queue for that peer. Zero-Length Body Acknowledgement (ZLB ACK) T. A. Yang Network Security

L2TP Operations Session Establishment A session may be created after successful control connection is established. Each session corresponds to a single PPP stream between the LAC and the LNS. Session establishment is directional: Incoming call: The LAC asks the LNS to accept a session; Outgoing call: The LNS asks the LAC to accept a session Incoming Call Establishment: LAC  ICRQ (Incoming-Call-Request)  LNS LAC  ICRP (Incoming-Call-Reply  LNS LAC  ICCN (Incoming-Call-Connected  LNS -------------------------------------------------------------------------------------- LAC  ZLB ACK  LNS The ZLB ACK is sent if there are no further messages waiting in queue for that peer. T. A. Yang Network Security

T. A. Yang Network Security Challenge-Handshake Authentication Protocol (CHAP) T. A. Yang Network Security

L2TP Message Header T. A. Yang Network Security Ns (optional) sequence number for this data or control message Nr (optional) sequence number for expected message to be received. T. A. Yang Network Security

L2TP Control Messages (from RFC2661) T. A. Yang Network Security

L2TP Authentication (from RFC2661) Authentication, Authorization and Accounting may be provided by the Home LAN's Management Domain, which is behind the LNS. In that case, the LAC performs proxy authentication, by passing authentication information back and forth between the user and the LNS. Although deprecated, Password authentication protocol (PAP) is still sometimes used. (source: http://download-uk.oracle.com/docs/cd/A97630_01/appdev.920/a96590/adgsec03.htm) Advantages of Proxy Authentication In multi-tier environments, proxy authentication allows you to control the security of middle-tier applications by preserving client identities and privileges through all tiers, and auditing actions taken on behalf of clients. For example, this feature allows the identity of a user using a web application (also known as a "proxy") to be passed through the application to the database server. T. A. Yang Network Security

L2TP Operations Case Studies: Setting up compulsory L2TP Tunneling T. A. Yang Network Security

L2TP Operations Case Studies (cont.) Protecting L2TP Traffic using IPsec in a compulsory tunneling setup NOTE: L2TP encapsulation occurs before IPSec processing. T. A. Yang Network Security

L2TPv3 Topology (from RFC3931) L2TP operates between two L2TP Control Connection Endpoints (LCCEs), tunneling traffic across a packet network. There are three predominant tunneling models in which L2TP operates: LAC-LNS (or vice versa), LAC-LAC, and LNS-LNS. T. A. Yang Network Security

L2TPv3 Topology (from RFC3931) T. A. Yang Network Security

L2TPv3 Topology (from RFC3931) T. A. Yang Network Security

L2TPv3 Topology (from RFC3931) T. A. Yang Network Security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.