Softwires L2TPv2 Hubs & Spokes for Phase I Maria Alice Dos Santos, Cisco Jean Francois Tremblay, Hexago Bill Storer, Cisco Jordi Palet, Consulintel Carl Williams, KDDI and others 65th IETF - Dallas, TX, USA
L2TPv2 VS TSP At Softwires interim meeting in Hong Kong, multiple protocols (ATS6, TSP, L2TPv2) have been proposed as the Phase I Hubs & Spokes Softwire solution At interim meeting, non-technical requirement evaluation for the proposed protocols was conducted: – The two leading protocols are L2TPv2 and TSP – L2TPv2 average score is 97 (rounded) – TSP average score is 86 (rounded) Technical comparison between L2TPv2 and TSP has been conducted and discussed on mailing list WG selected L2TPv2 as the Phase I Hubs & Spokes solution based on the comparison results of the following categories
Standardization Status L2TPv2 (RFC2661) has been standardized since 1999 –RFC Layer Two Tunneling Protocol (PS) –RFC RADIUS Accounting Modifications for Tunnel Protocol Support (Inf.) –RFC Layer Two Tunneling Protocol "L2TP" Management Information Base (PS) –RFC Securing L2TP using IPsec (PS) –RFC UDP Encapsulation of IPsec ESP Packet (PS) –RFC L2TP Disconnect Cause Information (PS) –RFC Layer Two Tunneling Protocol Differentiated Services Extension (PS) TSP has been sent to the RFC editor as individual submission –draft-vg-ngtrans-tsp-00.txt submitted in 2001 –draft-blanchet-v6ops-tunnelbroker-tsp-03.txt
Major Router VendorsCisco, Juniper, Redback, Nortel, Laurel (with IPv6 support) Linux/POSIX-based OSs (GPL)Sourceforge.net, Roaring Penguin, etc CPE ImplementationsLinksys v6 o v4 clients have been implemented by Point6 and NTT (GPL-based) Native Microsoft Windows Client v4 o v4 client supported on all Windows v6 o v4 client supported on Vista / Longhorn (PPPv6, DHCPv6 included, to be released end of 2006) Downloadable Windows XP Client v6 o v4 client by NTT, Trumpet v6 o v4 and v4 o v6 client by SixXs (to be released in 2 months) Source Code Availability GPL: Roaring Penguin, etc Commercial Windows / Linux / Mac implementations: Paravirtual and others TSP ServerHexago TSP CPE ClientDraytek, Panasonic, NEC (GPL-based) Independent ImplementationsENST, University of Southampton, SixXs (Windows and Unix) Interoperability L2TPv2 protocol has been proven by numerous independent / interoperable implementations One TSP server implementation exists while TSP client has been implemented by multiple entities:
Scalability L2TPv2 scalability has been proven in large scale commercial VPN deployments: –L2TPv2 is proven to be scalable to the millions of subscribers in multiple IPv4 o IPv4 VPN deployments –Upper Tens of thousands of concurrent L2TPv2 sessions on a single node (or "LNS") –Call setup rates in the hundreds per second TSP scalability has yet to be demonstrated in multiple-server commercial settings: –Freenet6 has 10,000 tunnels now on single server –Have tested 50,000 tunnels on one broker
Deployment Experience L2TPv2 Deployment Experience –L2TPv2 is widely used in large scale IPv4 o IPv4 VPN commercial deployments, with AAA, Accounting and MIB well integrated in the solutions Cases in point being NTT, BT, AOL (Millions tunnels each) –L2TPv2 is used in IPv6 o IPv4 deployments: Point6 NTT commercial IPv6 tunnel service TSP deployment Experience: –Freenet6 TSP commercial IPv6 over IPv4 deployment since 2003 (10K tunnels) –KDDI TSP trial IPv4 over IPv6 deployment (1000 tunnels) –AT&T and Wanadoo trials, no numbers. –NTT and DoD have on-going trials
L2TPv2TSP Standardized Accounting and MIB: RFC 2867 “RADIUS Accounting extension for tunnel” (Inf.) RFC 3371 “L2TP MIB” (PS) RFC 3145 “L2TP Disconnect Cause Information” (PS) TSP has no standardized Accounting and MIB L2TPv2 uses in-band signaling (control plane in sync with data connectivity status) L2TPv2 control plane stays for the life of tunnel (tunnel maintenance supported after setup phase) TSP uses in-band signaling also TSP control plane is ephemeral; goes away after tunnel setup phase (i.e. TSP server has to tear down / re- establish tunnel if keepalive interval needs adjustment) L2TPv2 High-availability draft-ietf-l2tpext-failover-06.txt - "Fail Over extensions for L2TP "failover“ OAM
L2TPv2TSP Standardized Full Tunnel Protection with IPsec (L2TPv2 o IPsec) RFC 3193 “Securing L2TP using IPsec” RFC 3948 “UDP Encapsulation of IPsec ESP Packets No security or encryption draft or standard specified for TSP L2TPv2 supports a built-in mutual tunnel authentication L2TPv2 inherits PPP per-user authentication TSP supports mutual authentication Data encapsulated in session header with tunnel / session Ids (provides better security than IP-in-IP protocol 41 encapsulation) TSP uses IP-in-IP (protocol 41) encapsulation, “easy to spoof” (RPF check is to be used) Authentication/Security
L2TPv2 Phase I Hubs & Spokes Softwire Solution L2TPv2 Hubs & Spokes Softwire framework draft –to be delivered (LC) in July 2006 Document / recommend / define L2TPv2 Hubs & Spokes Softwire solution implementation specifics Examples of topics to be covered by framework draft: (credits to Jean Francois Tremblay, Jordi Palet, Ole Troan for initial list of topics) –How L2TPv2 satisfies H&S Softwire requirements –Deployment scenarios with L2TPv2 and other components involved in the H&S solution –Standardization status of L2TPv2 and other components involved in H&S solution –Provisioning models (Addresses, Prefix Delegation, DNS, etc) –L2TPv2 tunnel setup / maintenance specifics in H&S solution –AAA integration / infrastructure and statistics –Security analysis for L2TPv2 H&S –Implementation Status –others?
IPv6 over IPv4 Softwire with L2TPv2: Case 1 – Host CPE as Softwire Initiator LNS /64 prefix DNS, etc RA DHCPv4/v6 IPv6CP: capable of /64 interface ID assignment or uniqueness check IPv4 ISP to Dual AF Host CPE Auto-Config Dual AF Host CPE IPv6 o PPP L2TPv2 o UDP o IPv4 LAC
IPv6 over IPv4 Softwire with L2TPv2: Case 2 – CPE as Softwire Initiator IPv6 o PPP LNS LAC Dual AF CPE L2TPv2 o UDP o IPv4 /64 prefix /48 prefix DNS, etc RA DHCPv6 PD IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefixes RA DNS, etc DHCPv4/v6 IPv4 ISP to Dual AF CPE PD and Auto-Config Dual AF CPE to Hosts Auto-Config
IPv6 over IPv4 Softwire with L2TPv2: Case 3 – Host behind CPE as Softwire Initiator LNS CPE /64 prefix DNS, etc RA DHCPv4/v6 IPv6CP: capable of /64 interface ID assignment or uniqueness check IPv4 ISP to Dual AF Host Auto-Config Dual AF Host IPv6 o PPP L2TPv2 o UDP o IPv4 LAC
IPv6 over IPv4 Softwire with L2TPv2: Case 4 – Router behind CPE as Softwire Initiator LNS CPE /64 prefix /48 prefix DNS, etc RA DHCPv6 PD IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefixes RA DNS, etc DHCPv4/v6 IPv4 ISP to Dual AF Router PD and Auto-Config Dual AF Router to Hosts Auto- Config LAC Dual AF Router IPv6 o PPP L2TPv2 o UDP o IPv4
IPv4 over IPv6 Softwire with L2TPv2: Case 1 – Host CPE as Softwire Initiator LNS Dual AF Host CPE IPv6 IPCP: assigns global IPv4 address and DNS, etc ISP to Dual AF Host IP Assignment and Auto-Config IPv4 o PPP L2TPv2 o UDP o IPv6 LAC
IPv4 over IPv6 Softwire with L2TPv2: Case 2 – CPE as Softwire Initiator IPv4 o PPP LNS L2TPv2 o UDP o IPv6 IPCP: assigns global IPv4 address and DNS, etc Private IPv4 addresses and DNS, etc. DHCP IPv6 LAC Dual AF CPE ISP to Dual AF CPE IP Assignment and Auto-Config Dual AF CPE to Hosts IP Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv2: Case 3 – Host behind CPE as Softwire Initiator LNS CPE Dual AF Host IPv6 IPCP: assigns global IPv4 address and DNS, etc ISP to Dual AF Host IP Assignment and Auto-Config IPv4 o PPP L2TPv2 o UDP o IPv6 LAC
IPv4 over IPv6 Softwire with L2TPv2: Case 4 – Router behind CPE as Softwire Initiator LNS CPE LAC Dual AF Router IPv6 IPCP: assigns global IPv4 address and DNS, etc Private IPv4 addresses and DNS, etc. DHCP ISP to Dual AF Router IP Assignment and Auto-Config Dual AF Router to Hosts IP Assignment and Auto-Config IPv4 o PPP L2TPv2 o UDP o IPv6
IPv6 o L2TPv2 o IPv4 Today NTT – mlhttp:// ml – ntt-ipv6.htmlhttp:// ntt-ipv6.html Point6 –draft-toutain-softwire-point6box-00 Cisco – ducts_data_sheet09186a008011b68d.htmlhttp:// ducts_data_sheet09186a008011b68d.html
L2TPv3 proposed as Phase II Hubs & Spokes Softwire Standard L2TPv3 is a superset of L2TPv2, with enhancements in security, scalability and flexibility for future extensions L2TPv3 RFC3991 automatic fallback to L2TPv2 allows seamless transition from L2TPv2 to L2TPv3 (Backward compatibility is key requirement for Phase II) L2TPv3 isn’t as widely implemented as L2TPv2
L2TPv3 for the Future IPv4 or IPv6 Header Session ID (32 Bits) Cookie (Up to 64 Bits, Optional) Payload PPP Frame Relay Ethernet ATM (Cell or Packet) MPLS HDLC UDP + L2TP Version (Optional) IP
Why move to L2TPv3? Improvements with L2TPv3: –Stronger Tunnel Authentication mechanism covering all control messages rather than just portions at tunnel setup –Built-in lightweight data plane security. Still works with IPsec transport mode, but the built-in cryptographically random cookie gives extra protection against blind insertion attacks –More efficient header encapsulation 32-bit flat session ID, more efficient lookup in forwarding plane Runs over either IP or UDP –L2TPv3 can tunnel IP directly without PPP Reduce tunnel/session setup time Reduce data encap size
Phase II Hubs & Spokes Softwires with L2TPv3 L2TPv3 Hubs & Spokes Softwire framework draft –Investigation starts in March (in background of Phase I work) –Progress will be presented in post-July 2006 Interim meeting –Framework draft to be delivered (LC) in November 2006 Document / recommend / define L2TPv3 Hubs & Spokes Softwire solution implementation specifics –PPP over L2TPv3 –IP over L2TPv3 Additional potential items for Phase II: –DHCP Integration (as an AAA mechanism in addition to RADIUS) –Softwire Concentrator Auto Discovery –IP over L2TPv3 solution: Investigate solution without PPP –NAT Discovery –Mobility and Nomadicity
To be continued...