Layer 2 Tunneling Protocol

From Wikipedia, the Iree encyclopedia

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to
support virtual private networks (VPNs). It does not provide any encryption or conIidentiality by
itselI; it relies on an encryption protocol that it passes within the tunnel to provide privacy.
|1|

Although L2TP acts like a Data Link Layer protocol in the OSI model, L2TP is in Iact a Session
Layer protocol,
|2|
and uses the registered UDP port 1701. (see List of TCP and UDP port
numbers).
The OSI Model
7
Application
Layer
6
Presentation
Layer
5 Session Layer
4 Transport Layer
3 Network Layer
2
Data Link Layer
O LLC
sublayer
O AC
sublayer
1 Physical Layer
This box: view
talk edit
ontents
|hide|
O 1 History
O 2 Description
O 3 Tunneling models
O 4 L2TP packet structure
O 5 L2TP packet exchange
O 6 L2TP/IPsec
O 7 Windows implementation
O L2TP in ADSL networks
O L2TP in cable networks
O 10 See also
O 11 ReIerences
O 12 External links
4 12.1 Implementations
4 12.2 Internet standards and extensions
4 12.3 Other
edit] History
Published in 1 as proposed standard RFC 2661, L2TP has its origins primarily in two older
tunneling protocols Ior Point-to-Point Protocol (PPP): Cisco's Layer 2 Forwarding Protocol
(L2F) and US Robotics Point-to-Point Tunneling Protocol (PPTP). A new version oI this
protocol, L2TPv3, was published as proposed standard RFC 331 in 2005. L2TPv3 provides
additional security Ieatures, improved encapsulation, and the ability to carry data links other than
simply PPP over an IP network (e.g., Frame Relay, Ethernet, AT, etc).
edit] Description
The entire L2TP packet, including payload and L2TP header, is sent within a UDP datagram. It
is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does
not provide conIidentiality or strong authentication by itselI. IPsec is oIten used to secure L2TP
packets by providing conIidentiality, authentication and integrity. The combination oI these two
protocols is generally known as L2TP/IPsec (discussed below).
The two endpoints oI an L2TP tunnel are called the LAC (L2TP Access Concentrator) and the
LNS (L2TP Network Server). The LAC is the initiator oI the tunnel while the LNS is the server,
which waits Ior new tunnels. Once a tunnel is established, the network traIIic between the peers
is bidirectional. To be useIul Ior networking, higher-level protocols are then run through the
L2TP tunnel. To Iacilitate this, an L2TP session (or call) is established within the tunnel Ior each
higher-level protocol such as PPP. Either the LAC or LNS may initiate sessions. The traIIic Ior
each session is isolated by L2TP, so it is possible to set up multiple virtual networks across a
single tunnel. TU should be considered when implementing L2TP.
The packets exchanged within an L2TP tunnel are categorised as either control packets or data
packets. L2TP provides reliability Ieatures Ior the control packets, but no reliability Ior data
packets. Reliability, iI desired, must be provided by the nested protocols running within each
session oI the L2TP tunnel.
edit] Tunneling models
An L2TP tunnel can extend across an entire PPP session or only across one segment oI a two-
segment session. This can be represented by Iour diIIerent tunneling models, namely |1| |2| |3|
O voluntary tunnel
O compulsory tunnel incoming call
O compulsory tunnel remote dial
O L2TP multi-hop connection
edit] L2TP packet structure
An L2TP packet consists oI :
Bits 0-15 Bits 16-31
Flags and Version InIo Length (opt)
Tunnel ID Session ID
Ns (opt) Nr (opt)
OIIset Size (opt) OIIset Pad (opt)......
Payload data
Field meanings:
Flags and version
control Ilags indicating data/control packet and presence oI length, sequence, and oIIset
Iields.
Length (optional)
Total length oI the message in bytes, present only when length Ilag is set.
Tunnel ID
Indicates the identiIier Ior the control connection.
Session ID
Indicates the identiIier Ior a session within a tunnel.
Ns (optional)
sequence number Ior this data or control message, beginning at zero and incrementing by
one (modulo 2
16
) Ior each message sent. Present only when sequence Ilag set.
Nr (optional)
sequence number Ior expected message to be received. Nr is set to the Ns oI the last in-
order message received plus one (modulo 2
16
). In data messages, Nr is reserved and, iI
present (as indicated by the S bit), UST be ignored upon receipt..
OIIset Size (optional)
SpeciIies where payload data is located past the L2TP header. II the oIIset Iield is
present, the L2TP header ends aIter the last byte oI the oIIset padding. This Iield exists iI
the oIIset Ilag is set.
OIIset Pad (optional)
Variable length, as speciIied by the oIIset size. Contents oI this Iield are undeIined.
Payload data
Variable length (ax payload size ax size oI UDP packet size oI L2TP header)
edit] L2TP packet exchange
At the time oI setup oI L2TP connection, many control packets are exchanged between server
and client to establish tunnel and session Ior each direction. One peer requests the other peer to
assign a speciIic tunnel and session id through these control packets. Then using this tunnel and
session id, data packets are exchanged with the compressed PPP Irames as payload.
The list oI L2TP Control messages exchanged between LAC and LNS, Ior handshaking beIore
establishing a tunnel and session in voluntary tunneling method are

edit] L2TP/IPsec
ecause oI the lack oI conIidentiality inherent in the L2TP protocol, it is oIten implemented
along with IPsec. This is reIerred to as L2TP/IPsec, and is standardized in IETF RFC 313. The
process oI setting up an L2TP/IPsec VPN is as Iollows:
1. Negotiation oI IPsec security association (SA), typically through nternet key
exchange (IKE). This is carried out over UDP port 500, and commonly uses either
a shared password (so-called "pre-shared keys"), public keys, or X.50 certiIicates
on both ends, although other keying methods exist.
2. Establishment oI Encapsulating Security Payload (ESP) communication in
transport mode. The IP protocol number Ior ESP is 50 (compare TCP's 6 and
UDP's 17). At this point, a secure channel has been established, but no tunneling
is taking place.
3. Negotiation and establishment oI L2TP tunnel between the SA endpoints. The
actual negotiation oI parameters takes place over the SA's secure channel, within
the IPsec encryption. L2TP uses UDP port 1701.
When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec.
Since the L2TP packet itselI is wrapped and hidden within the IPsec packet, no inIormation
about the internal private network can be garnered Irom the encrypted packet. Also, it is not
necessary to open UDP port 1701 on Iirewalls between the endpoints, since the inner packets are
not acted upon until aIter IPsec data has been decrypted and stripped, which only takes place at
the endpoints.
A potential point oI conIusion in L2TP/IPsec is the use oI the terms tunnel and secure channel.
The term tunnel reIers to a channel which allows untouched packets oI one network to be
transported over another network. In the case oI L2TP/PPP, it allows L2TP/PPP packets to be
transported over IP. A secure channel reIers to a connection within which the conIidentiality oI
all data is guaranteed. In L2TP/IPsec, Iirst IPsec provides a secure channel, then L2TP provides a
tunnel.
edit] Windows implementation
Windows Vista provides two new conIiguration utilities that attempt to make using L2TP
without IPsec easier, both described in sections that Iollow below:
O an C snap-in called "Windows Firewall with Advanced Security" (WFwAS), located
in Control Panel Administrative Tools
O the "netsh advIirewall" command-line tool
oth these conIiguration utilities are not without their diIIiculties, and unIortunately, there is
very little documentation about both "netsh advIirewall" and the IPsec client in WFwAS. One oI
the aIorementioned diIIiculties is that it is not compatible with NAT. Another problem is that
servers must be speciIied only by IP address in the new Vista conIiguration utilities; the
hostname oI the server cannot be used, so iI the IP address oI the IPsec server changes, all clients
will have to be inIormed oI this new IP address (which also rules out servers that addressed by
utilities such as DynDNS).
edit] L2TP in ADSL networks
L2TP is oIten used as a tunneling mechanism to resell ADSL endpoint connectivity at layer 2.
An L2TP tunnel would sit between the user and the ISP the connection would be resold to, so the
reselling ISP would not appear as doing the transport.
edit] L2TP in cable networks
L2TP is used by the cable Internet provider as a tunnelling mechanism to sell endpoint
connectivity. The L2TP tunnel sits between the user and the ISP. Again, the reselling cable
provider doesn't appear as doing the transport.
edit] See also