Presentation is loading. Please wait.

Presentation is loading. Please wait.

L2tpd - L2TP for Unix Land of confusion.

Similar presentations


Presentation on theme: "L2tpd - L2TP for Unix Land of confusion."— Presentation transcript:

1 l2tpd - L2TP for Unix Land of confusion

2 Overview of L2TP protocol

3 Layer 2 Tunnelling Protocol
Product of the PPP Extensions working group of the IETF Largely builds on the work done with L2F at Cisco Backwards compatible with L2F

4 L2TP features Encapsulates PPP Utilizes UDP
Reliable Signalling channel ("Control Connection") Unreliable Data Channel Data Channel sequencing Tunnel level authentication

5 Applications for L2TP Half of a secure VPN implementation
Overlay network Avoid University firewalls Remote static IP address Global addressing behind NAT

6 L2TP Header Format |T|L|x|x|S|x|O|P|x|x|x|x|Version| | Length (opt.) | | Tunnel ID | | Session ID | | Sequence Number (Ns) | | Expected Sequence Number (Nr) | | Offset Size (opt.) | | Offset Pad (opt.) | T=Type bit Set for control packets L=Length bit Set if Length field is present S=Sequence bit Set if sequence numbers are present, always set for Control messages O=Offset bit Set if offset field is present Rarely used P=Priority bit Set if this packet should be given preferential treatment I've never seen this used Version Set to 2 currently, 1 indicates L2F as it used substantially the same header format

7 L2TP Header Format 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 Length
|T|L|x|x|S|x|O|P|x|x|x|x|Version| | Length (opt.) | | Tunnel ID | | Session ID | | Sequence Number (Ns) | | Expected Sequence Number (Nr) | | Offset Size (opt.) | | Offset Pad (opt.) | Length Total length of L2TP packet Tunnel ID Identifies Tunnel that this packet is associated with Session ID Identifies Session within the tunnel that this packet is associated with Sequence Number (Ns) Start with 0, increment for each packet in tunnel Expected Sequence Number (Nr) Sequence number expected in next packet from peer Offset Size Size, in octets of Offset Pad field Offset Pad Undefined “filler”

8 L2TP AVP Format |M|H| rsvd | Length | | Vendor ID | | Attribute Type | | Attribute Value ...[until length is reached... | M=Mandatory bit If you don't understand this AVP, shut down the tunnel or session H=Hidden bit This attribute is "hidden" Length Overall length of the AVP, including these headers (minimum value of 6) Vendor ID 0 for IETF defined AVP's Attribute Type What attribute is this? Attribute Value Actual attribute data (if Length field is 6, this field is absent)

9 L2TP Message Types 1 - SCCRQ - Start Control Connection ReQuest
2 - SCCRP - Start Control Connection RePly 3 - SCCCN - Start Connection Control CoNnected 4 - StopCCN - Stop Control Connection Notification 6 - HELLO - HELLO 7 - OCRQ - Outgoing Call ReQuest 8 - OCRP - Outgoing Call RePly 9 - OCCN - Outgoing Call CoNnected 10 - ICRQ - Incoming Call ReQuest 11 - ICRP - Incoming Call RePly 12 - ICCN - Incoming Call CoNnected 14 - CDN - Call Disconnect Notification 15 - WEN - Wan Error Notify 16 - SLI - Set Link Info

10 The Future of L2TP - L2TPv3 New data channel header format
Clarify ambiguities in current standard Encapsulates other types of frames than PPP (work with PWE3 - Pseudo Wire Emulation Edge to Edge) Ethernet Frame relay Circuit emulation

11 Overview of l2tpd software package

12 History of l2tpd Originally written by Mark Spencer last version 0.60 Forked in 2000 by Scott Balmos and David Stipp, hosted on Sourceforge Turned over control in Jan to me Obtained support of Mark Spencer for further development as well Further detail at

13 l2tpd features Tunnel level authentication (currently broken)
Works as both LNS and LAC (only with PPP on same system) "Autodial" pre-configured peers "interactive" control (named pipe)

14 Known bugs Challenge Response authentication on tunnels broken
Data channel sequencing support doesn't exist pty handling is horrible, though works after a fashion Session and tunnel shutdown works, barely

15 l2tpd - current work directions
Bugfixing, bugfixing, bugfixing Easily integrated new features (data sequencing) Knobs for interoperability Did I mention bugfixing? No significant new feature work

16 l2tpd-devel What I'm calling the "next-generation" l2tpd
No working code available yet kernel-module pppd plugin l2tpd daemon

17 "Interactive" use of l2tpd
echo "t " > /var/run/l2tp-control Standard output of l2tpd gives you a tunnel ID: control_finish: Connection established to , Local: 17767, Remote: 86. echo "c 17767" > /var/run/l2tp-control

18 /etc/l2tp/l2tpd.conf [global] port = 1701 [lns default]
ip range = lac = hidden bit = no refuse chap = yes require authentication = yes ppp debug = yes [lac cindsl01] lns = autodial = yes [lac iostest] lns =

19 l2tpd compared to other tunnelling technologies

20 Why L2TP vs. IPSec Tunnel Mode
Multi-Protocol Authentication flexibility Works via NAT Multi-Link PPP avoids MTU issues Encryption Protocol overhead

21 L2TP PPTP Why L2TP vs. PPTP Open standard Weak encryption
Not Microsoft - 'nuff said Weak encryption Microsoft Non-standard

22 L2TP GRE/IPIP Why L2TP vs. GRE or IPIP Scaleability
Control protocol mechanism Authentication Multi-protocol Low protocol overhead Simple configuration No dependancy on PPP

23 L2TP VTun Why L2TP vs. VTun Interoperability
Open standard Can carry varied types of traffic Open Encryption Traffic Shaping


Download ppt "L2tpd - L2TP for Unix Land of confusion."

Similar presentations


Ads by Google