Softwires Hub & Spoke with L2TP

Slides:

Advertisements

Similar presentations

Leading Edge Routing MPLS Enhancements to Support Layer 2 Transport Services Jeremy Brayley

Advertisements

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Internet Security CSCE 813 IPsec

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

IPv6 Network Security.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Data Link Protocols Relates to Lab 2. This module covers data link layer issues, such as local area networks (LANs) and point-to-point links, Ethernet,

Layer 2 Tunneling Protocol (L2TP)

IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

W. Mark Townsley Pseudowires and L2TPv3 W. Mark Townsley

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.

Softwires Hub & Spoke using L2TPv3

Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.

1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

24/10/ Point6 Pôle de compétences IPv6 en Bretagne Avec le soutien de : Softwires interim meeting L2TP tunnels Laurent Toutain

A Model of IPv6 Internet Access Service via L2TPv2 Shin Miyakawa NTT Communications 2006/7/10 IETF66th.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public BSCI Module 8 Lessons 1 and 2 1 BSCI Module 8 Lessons 1 and 2 Introducing IPv6 and Defining.

Chapter 13 – Network Security

L2tpd - L2TP for Unix Land of confusion.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Softwires L2TPv2 Hubs & Spokes for Phase I Maria Alice Dos Santos, Cisco Jean Francois Tremblay, Hexago Bill Storer, Cisco Jordi Palet, Consulintel Carl.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Point-to-Point Access: PPP PPP Between Routers  Used for Point-to-Point Connections only  Used as data link control (encapsulates network layer.

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

TCP/IP Protocols Contains Five Layers

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

1 UDP Encapsulation of 6RD IETF 78 Maastricht 2010 July 30.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

L2TP Chapter 7. Motivation Sometimes we want to tunnel one protocol over another protocol –Maybe the network does not understand how to forward that protocol.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

By Mau, Morgan Arora, Pankaj Desai, Kiran.  Large address space  Briefing on IPsec  IPsec implementation  IPsec operational modes  Authentication.

Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.

MPLS over L2TPv3 Encapsulation IETF VersionIHLTOSTotal length IdentificationFlagsFragment offset TTL Protocol ==

17/10/031 Euronetlab – Implementation of Teredo

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

K. Salah1 Security Protocols in the Internet IPSec.

Data Link Protocols Relates to Lab 2.

Softwire Security Update Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota 67 IETF, San Diego.

Jonathan Brewer Technical Director Araneo Wireless Solutions Layer 3 Tunnels for Broadband Delivery.

Point-Point Protocol (PPP) by William F. Widulski.

IPSec Detailed Description and VPN

Chapter 18 IP Security  IP Security (IPSec)

Softwires Hub & Spoke using L2TPv3

PPP PROTOCOL The First semester

Agenda Agreement on the problem statement

Softwire Security Update

Softwires L2TPv2 Hubs & Spokes for Phase I

Presentation transcript:

Softwires Hub & Spoke with L2TP Maria Alice Dos Santos, Cisco Bill Storer, Cisco

Satisfying Softwires Requirements with L2TP There are 2 versions of L2TP: L2TPv2 (RFC 2661) L2TPv3 (RFC 3931) Both versions can satisfy the Softwires requirements with some changes For L2TPv2 the changes are very small For L2TPv3 the changes are larger but provide extra function

L2TP supports UDP encapsulation L2TP and NAT L2TP supports UDP encapsulation For L2TPv2, UDP encapsulation is mandatory For L2TPv3 UDP encapsulation is optional UDP encapsulation allows simple traversal of NAT

L2TP and Security L2TP supports tunnel authentication Can authenticate the host initiating the tunnel L2TP supports PPP encapsulation Can authenticate the PPP user within the tunnel L2TPv3 offers data channel security against malicious data insertion by requiring transmission and validation of a variable length cookie by the peers

L2TP and Management L2TP provides a tunnel keep alive mechanism L2TPv2 has accounting and MIB support RADIUS Accounting extension for tunnel (RFC 2867) L2TPv2 MIB RFC 3371 L2TPv3 has VCCV support Provides diagnostic and fault detection capabilities at the session level draft-ietf-pwe3-vccv-07

L2TP and Multicast PIM or IGMP messages pass through the L2TP tunnel transparently At the Hub router, each spoke appears as a PPP connection Multicast environment here is identical to that of an edge router terminating large numbers of PPP connections

L2TP and IPsec RFC 3193 - Securing L2TP using IPsec RFC 3948 - UDP Encapsulation of IPsec ESP Packets ESP must be supported Transport mode must be supported A typical L2TP/IPsec frame is as follows: IP | ESP header | UDP | L2TP | PPP | ESP trailer | Auth trailer

L2TP and Scalability L2TPv2 is widely used to provide large scale IPv4 services today. Case in point being NTT Routers currently support high volume L2TPv2 Tens of thousands of concurrent L2TPv2 sessions Call setup rates in the hundreds per second L2TPv3 can be more efficient than l2tpv2

L2TP as Softwire Standard L2TPv2 meets IPv6 over IPv4 softwires requirements today L2TPv2 is currently used in multiple IPv6 over IPv4 solutions L2TPv2 RFC2661 is 99% ready for the IPv4 over IPv6 solution L2TPv3 is a superset of L2TPv2, with enhancements in security, scalability and flexibility for future extensions L2TPv3 is not far from meeting all softwires requirements L2TPv3 RFC3991 automatic fallback to L2TPv2 allows seamless transition from L2TPv2 to L2TPv3

L2TPv2 as the Immediate Solution L2TPv2 is currently used in several IPv6 over IPv4 deployments Implementations of key components are readily available: LNSes supporting L2TPv2 acting as tunnel terminator, supporting IPv6 over PPP (IPv6CP) and DHCPv6 server capabilities or proxy Standalone DHCPv6 server RADIUS support for IPv6 prefix delegation attributes CPEs or home routers supporting L2TPv2, IPv6 over PPP (IPv6CP) and DHCPv6 client capabilities Windows (i.e. Longhorn) supporting IPv6 over PPP and L2TPv2 over IPSec are becoming available in the near future The support for IPv4 over IPv6 with L2TPv2 requires the addition of IPv6 transport support for L2TPv2 (minor extension to RFC 2661). Besides that, IPv4 over PPP over L2TPv2 over IPv6 will work as in today’s L2TPv2 over IPv4 solutions

ISP to Dual AF CPE PD and Auto-Config IPv6 over IPv4 Softwire with L2TPv2: Case 1 – CPE as Softwire Initiator LNS Dual AF CPE IPv4 IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA /48 prefix DNS, etc /64 prefixes DHCPv6 PD RA DNS, etc DHCPv4/v6 ISP to Dual AF CPE PD and Auto-Config Dual AF CPE to Hosts Auto-Config

IPv6 over IPv4 Softwire with L2TPv2: Case 2 – Router behind CPE as Softwire Initiator LNS IPv4 CPE Dual AF Router IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA /48 prefix DNS, etc /64 prefixes DHCPv6 PD RA DNS, etc DHCPv4/v6 ISP to Dual AF Router PD and Auto-Config Dual AF Router to Hosts Auto-Config

IPv6 over IPv4 Softwire with L2TPv2: Case 3 – Host as Softwire Initiator LNS IPv4 CPE Dual AF Host IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA DNS, etc DHCPv4/v6 ISP to Dual AF Host Auto-Config

IPv4 over IPv6 Softwire with L2TPv2: Case 1 – CPE as Softwire Initiator LNS Dual AF CPE IPv6 IPv4 o PPP L2TPv2 o UDP o IPv6 Private IPv4 addresses and DNS, etc. IPCP: assigns global IPv4 address and DNS, etc DHCP ISP to Dual AF CPE IP Assignment and Auto-Config Dual AF CPE to Hosts IP Assignment and Auto-Config

IPv4 over IPv6 Softwire with L2TPv2: Case 2 – Router behind CPE as Softwire Initiator LNS IPv6 CPE Dual AF Router IPv4 o PPP L2TPv2 o UDP o IPv6 Private IPv4 addresses and DNS, etc. IPCP: assigns global IPv4 address and DNS, etc DHCP ISP to Dual AF Router IP Assignment and Auto-Config Dual AF Router to Hosts IP Assignment and Auto-Config

ISP to Dual AF Host IP Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv2: Case 3 – Host as Softwire Initiator LNS IPv6 CPE Dual AF Host IPv4 o PPP L2TPv2 o UDP o IPv6 IPCP: assigns global IPv4 address and DNS, etc ISP to Dual AF Host IP Assignment and Auto-Config

IPv6 o L2TPv2 o IPv4 Today NTT Point6 Cisco http://www.ntt.com/release_e/news05/0011/1121.html http://www.networkworld.com/news/2005/122205-ntt-ipv6.html Point6 draft-toutain-softwire-point6box-00 Cisco http://www.cisco.com/en/US/products/ps6553/products_data_sheet09186a008011b68d.html

Why move to L2TPv3? Cons of L2TPv2 as compared to L2TPv3: Weaker Tunnel Authentication mechanism which validates only the header portion of the control messages and covering only SCCRQ, SCCRP and SCCCN message types No built-in data channel security. Must be bundled with IPSec to achieve security 16-bits session Ids as compared to L2TPv3 32-bits session Ids

Why move to L2TPv3? (Cont.) Cons of L2TPv2 as compared to L2TPv3: Tunnel/Session Setup latency: L2TP: SCCRQ, SCCRP, SCCCN, ICRQ, ICRP, ICCN PPP LCP PPP CHAP (per-user authentication is optional) IPCP Since L2TPv3 offers the option to tunnel IP frames directly without PPP, using L2TPv3 can eliminate PPP overhead

Why move to L2TPv3? (Cont.) Cons of L2TPv2 as compared to L2TPv3: L2TPv2 Data Encapsulation PPP over L2TPv2 over UDP – 20 Bytes L2TPv3 allows further encapsulation optimization by offering the option to run over IP (instead of mandating UDP) and to tunnel IP frames without PPP IPv4 / IPv6 UDP (8 bytes) Sequencing disabled Length field present Flags & Ver Len (opt) Tunnel Id Session Id PPP PId & 0xFF03 Payload

L2TPv3 for the Future IPv4 or IPv6 Header Payload PPP HDLC Frame Relay 1 2 3 4 5 6 7 8 9 IPv4 or IPv6 Header HDLC Frame Relay UDP + L2TP Version (Optional) Cookie (Up to 64 Bits, Optional) Ethernet Session ID (32 Bits) Payload ATM (Cell or Packet) MPLS IP

L2TPv3 as Next Phase Softwires Solution PPP over L2TPv3 L2TPv3 can provide the same softwires solution as described with PPP over L2TPv2 Support for PPP tunneling for L2TPv3 draft-ietf-l2tpext-l2tp-ppp-03.txt

L2TPv3 as Next Phase Softwires Solution IP over L2TPv3 L2TPv3 also offers a more optimal softwires solution with its capability to directly tunnel IP frames IP Pseudowire support: draft-ietf-l2tpext-pwe3-ip-01 IP Pseudowire Type has the following advantages Not necessary to negotiate PPP at session initiation Not necessary to include PPP encap in data Authentication is available at the tunnel level Implies one session per tunnel New AVPs to provide basic IPCP / IPv6CP Address assignment services are required

L2TPv3 (RFC 3931) Advantages: Encap Optimization PPP over L2TPv3 over UDP (Sequencing disabled) Without optional cookie – 18 bytes With optional cookie – 26 Bytes IP over L2TPv3 over UDP (Sequencing disabled) Without optional cookie – 16 Bytes With optional cookie – 24 bytes IP over L2TPv3 over IP (Sequencing disabled) Without optional cookie – 4 bytes With optional cookie – 12 Bytes IPv4 / IPv6 IPv4 / IPv6 IPv4 / IPv6 Session Id UDP (8 bytes) UDP (8 bytes) Cookie (opt. to 8 bytes) Flags & Ver Flags & Ver Session Id Session Id Payload Cookie (opt. to 8 bytes) Cookie (opt. to 8 bytes) PPP Pld Payload Payload

ISP to Dual AF CPE PD and Auto-Config IPv6 over IPv4 Softwire with L2TPv3: Case 1 – CPE as Softwire Initiator LNS Dual AF CPE IPv4 IPv6 Payload L2TPv3 o IPv4 /64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs /64 prefix RA /48 prefix DNS, etc /64 prefixes DHCPv6 PD RA DNS, etc DHCP ISP to Dual AF CPE PD and Auto-Config Dual AF CPE to Hosts Auto-Config

IPv6 over IPv4 Softwire with L2TPv3: Case 2 – Router behind CPE as Softwire Initiator LNS IPv4 CPE Dual AF Router IPv6 Payload L2TPv3 o UDP o IPv4 /64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs /64 prefix RA /48 prefix DNS, etc /64 prefixes DHCPv6 PD RA DNS, etc DHCP ISP to Dual AF Router PD and Auto-Config Dual AF Router to Hosts Auto-Config

IPv6 over IPv4 Softwire with L2TPv3: Case 3 – Host as Softwire Initiator LNS IPv4 CPE Dual AF Host IPv6 Payload L2TPv3 o UDP o IPv4 /64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs /64 prefix RA DNS, etc DHCPv4/v6 ISP to Dual AF Host Auto-Config

IPv4 over IPv6 Softwire with L2TPv3: Case 1 – CPE as Softwire Initiator LNS Dual AF CPE IPv6 IPv4 Payload L2TPv3 o IPv6 Private IPv4 addresses and DNS, etc. IPv4 Address Assignment and DNS via new L2TPv3 AVPs DHCP ISP to Dual AF CPE IP Assignment and Auto-Config Dual AF CPE to Hosts IP Assignment and Auto-Config

IPv4 over IPv6 Softwire with L2TPv3: Case 2 – Router behind CPE as Softwire Initiator LNS IPv6 CPE Dual AF Router IPv4 Payload L2TPv3 o IPv6 Private IPv4 addresses and DNS, etc. IPv4 Address Assignment and DNS via new L2TPv3 AVPs DHCP ISP to Dual AF Router IP Assignment and Auto-Config Dual AF Router to Hosts IP Assignment and Auto-Config

ISP to Dual AF Host IP Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv3: Case 3 – Host as Softwire Initiator LNS IPv6 CPE Dual AF Host IPv4 Payload L2TPv3 o IPv6 IPv4 Address Assignment and DNS via new L2TPv3 AVPs ISP to Dual AF Host IP Assignment and Auto-Config

L2TPv3 Enhanced Security Enhanced Control Plane Security Message Digest is calculated with entire control message Message Digest is calculated for all control message types Data Plane Security Provides an additional layer of defense for data packets, over and above ACLs, with the use of a simple cookie

L2TPv3 Security – What is the L2TPv3 “Cookie”? Session ID (32 Bits) Cookie (up to 64 Bits) The L2TPv3 Cookie is a cryptographically random value, present in each L2TPv3 packet Chosen by the receiver, associated with a Session ID, and signaled to the sender Cookies in the header must match upon receipt, otherwise the packet is dropped Provides an additional layer of security at a very important place: before switching packets out of the core and into the customer premises Casts a strategic balance for the SP: Stronger than ACLs, but less complex than IPSec encryption and key negotiation

Summary of L2TPv3 Changes Accounting RFC similar to RFC 2867 MIB RFC similar to RFC 3371 Definition of AVPs to support basic IPCP and IPv6CP functions

L2TP vs IPsec ESP Tunnel L2TP has an in band control plane Inability to transmit data usually results in tunnel setup failure Failures in data transport are usually result in protocol “keep alive” failures L2TPv3 VCCV can detect failures at the data switching level L2TP infrastructure already exists for large scale data transport

L2TP vs GRE GRE doesn’t specify a control plane The control plane must be provided by some other protocol An “in band” control plane is not possible