Softwires Hub

1
SoftwiresHub Spoke with L2TP

• Maria Alice Dos Santos, Cisco
• Bill Storer, Cisco

2
Satisfying Softwires Requirements with L2TP

• There are 2 versions of L2TP
• L2TPv2 (RFC 2661)
• L2TPv3 (RFC 3931)
• Both versions can satisfy the Softwires
  requirements with some changes
• For L2TPv2 the changes are very small
• For L2TPv3 the changes are larger but provide
  extra function

3
L2TP and NAT

• L2TP supports UDP encapsulation
• For L2TPv2, UDP encapsulation is mandatory
• For L2TPv3 UDP encapsulation is optional
• UDP encapsulation allows simple traversal of NAT

4
L2TP and Security

• L2TP supports tunnel authentication
• Can authenticate the host initiating the tunnel
• L2TP supports PPP encapsulation
• Can authenticate the PPP user within the tunnel
• L2TPv3 offers data channel security against
  malicious data insertion by requiring
  transmission and validation of a variable length
  cookie by the peers

5
L2TP and Management

• L2TP provides a tunnel keep alive mechanism
• L2TPv2 has accounting and MIB support
• RADIUS Accounting extension for tunnel (RFC 2867)
• L2TPv2 MIB RFC 3371
• L2TPv3 has VCCV support
• Provides diagnostic and fault detection
  capabilities at the session level
• draft-ietf-pwe3-vccv-07

6
L2TP and Multicast

• PIM or IGMP messages pass through the L2TP tunnel
  transparently
• At the Hub router, each spoke appears as a PPP
  connection
• Multicast environment here is identical to that
  of an edge router terminating large numbers of
  PPP connections

7
L2TP and IPsec

• RFC 3193 - Securing L2TP using IPsec
• RFC 3948 - UDP Encapsulation of IPsec ESP Packets
  
• ESP must be supported
• Transport mode must be supported
• A typical L2TP/IPsec frame is as follows
• IP ESP header UDP L2TP PPP ESP
  trailer Auth trailer

8
L2TP and Scalability

• L2TPv2 is widely used to provide large scale IPv4
  services today.
• Case in point being NTT
• Routers currently support high volume L2TPv2
• Tens of thousands of concurrent L2TPv2 sessions
• Call setup rates in the hundreds per second
• L2TPv3 can be more efficient than l2tpv2

9
L2TP as Softwire Standard

• L2TPv2 meets IPv6 over IPv4 softwires
  requirements today
• L2TPv2 is currently used in multiple IPv6 over
  IPv4 solutions
• L2TPv2 RFC2661 is 99 ready for the IPv4 over
  IPv6 solution
• L2TPv3 is a superset of L2TPv2, with enhancements
  in security, scalability and flexibility for
  future extensions
• L2TPv3 is not far from meeting all softwires
  requirements
• L2TPv3 RFC3991 automatic fallback to L2TPv2
  allows seamless transition from L2TPv2 to L2TPv3

10
L2TPv2 as the Immediate Solution

• L2TPv2 is currently used in several IPv6 over
  IPv4 deployments
• Implementations of key components are readily
  available
• LNSes supporting L2TPv2 acting as tunnel
  terminator, supporting IPv6 over PPP (IPv6CP) and
  DHCPv6 server capabilities or proxy
• Standalone DHCPv6 server
• RADIUS support for IPv6 prefix delegation
  attributes
• CPEs or home routers supporting L2TPv2, IPv6 over
  PPP (IPv6CP) and DHCPv6 client capabilities
• Windows (i.e. Longhorn) supporting IPv6 over PPP
  and L2TPv2 over IPSec are becoming available in
  the near future
• The support for IPv4 over IPv6 with L2TPv2
  requires the addition of IPv6 transport support
  for L2TPv2 (minor extension to RFC 2661).
  Besides that, IPv4 over PPP over L2TPv2 over IPv6
  will work as in todays L2TPv2 over IPv4
  solutions

11
IPv6 over IPv4 Softwire with L2TPv2 Case 1 CPE
as Softwire Initiator
LNS
Dual AF CPE
IPv4
IPv6 o PPP
L2TPv2 o UDP o IPv4
IPv6CP capable of /64 interface ID assignment or
uniqueness check
/64 prefix
RA
/48 prefix DNS, etc
/64 prefixes
DHCPv6 PD
RA
DNS, etc
DHCPv4/v6
ISP to Dual AF CPE PD and Auto-Config
Dual AF CPE to Hosts Auto-Config
12
IPv6 over IPv4 Softwire with L2TPv2 Case 2
Router behind CPE as Softwire Initiator
LNS
IPv4
CPE
Dual AF Router
IPv6 o PPP
L2TPv2 o UDP o IPv4
IPv6CP capable of /64 interface ID assignment or
uniqueness check
/64 prefix
RA
/48 prefix DNS, etc
/64 prefixes
RA
DHCPv6 PD
DNS, etc
DHCPv4/v6
ISP to Dual AF Router PD and Auto-Config
Dual AF Router to Hosts Auto-Config
13
IPv6 over IPv4 Softwire with L2TPv2 Case 3
Host as Softwire Initiator
LNS
IPv4
CPE
Dual AF Host
IPv6 o PPP
L2TPv2 o UDP o IPv4
IPv6CP capable of /64 interface ID assignment or
uniqueness check
/64 prefix
RA
DNS, etc
DHCPv4/v6
ISP to Dual AF Host Auto-Config
14
IPv4 over IPv6 Softwire with L2TPv2 Case 1 CPE
as Softwire Initiator
LNS
Dual AF CPE
IPv6
IPv4 o PPP
L2TPv2 o UDP o IPv6
Private IPv4 addresses and DNS, etc.
DHCP
IPCP assigns global IPv4 address and DNS, etc
ISP to Dual AF CPE IP Assignment and Auto-Config
Dual AF CPE to Hosts IP Assignment and Auto-Config
15
IPv4 over IPv6 Softwire with L2TPv2 Case 2
Router behind CPE as Softwire Initiator
LNS
IPv6
CPE
Dual AF Router
IPv4 o PPP
L2TPv2 o UDP o IPv6
Private IPv4 addresses and DNS, etc.
IPCP assigns global IPv4 address and DNS, etc
DHCP
ISP to Dual AF Router IP Assignment and
Auto-Config
Dual AF Router to Hosts IP Assignment and
Auto-Config
16
IPv4 over IPv6 Softwire with L2TPv2 Case 3
Host as Softwire Initiator
LNS
IPv6
CPE
Dual AF Host
IPv4 o PPP
L2TPv2 o UDP o IPv6
IPCP assigns global IPv4 address and DNS, etc
ISP to Dual AF Host IP Assignment and Auto-Config
17
IPv6 o L2TPv2 o IPv4 Today

• NTT
• http//www.ntt.com/release_e/news05/0011/1121.html
  
• http//www.networkworld.com/news/2005/122205-ntt-
  ipv6.html
• Point6
• draft-toutain-softwire-point6box-00
• Cisco
• http//www.cisco.com/en/US/products/ps6553/product
  s_data_sheet09186a008011b68d.html

18
Why move to L2TPv3?

• Cons of L2TPv2 as compared to L2TPv3
• Weaker Tunnel Authentication mechanism which
  validates only the header portion of the control
  messages and covering only SCCRQ, SCCRP and SCCCN
  message types
• No built-in data channel security. Must be
  bundled with IPSec to achieve security
• 16-bits session Ids as compared to L2TPv3 32-bits
  session Ids

19
Why move to L2TPv3? (Cont.)Cons of L2TPv2 as
compared to L2TPv3

• Tunnel/Session Setup latency
• L2TP SCCRQ, SCCRP, SCCCN, ICRQ, ICRP, ICCN
• PPP LCP
• PPP CHAP (per-user authentication is optional)
• IPCP
• Since L2TPv3 offers the option to tunnel IP
  frames directly without PPP, using L2TPv3 can
  eliminate PPP overhead

20
Why move to L2TPv3? (Cont.) Cons of L2TPv2 as
compared to L2TPv3

• L2TPv2 Data Encapsulation
• PPP over L2TPv2 over UDP 20 Bytes
• L2TPv3 allows further encapsulation optimization
  by offering the option to run over IP (instead of
  mandating UDP) and to tunnel IP frames without PPP

IPv4 / IPv6

• Sequencing disabled
• Length field present

UDP (8 bytes)
Flags Ver
Len (opt)
Tunnel Id
Session Id
PPP PId 0xFF03
Payload
21
L2TPv3 for the Future
PPP
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header IPv4 or IPv6 Header
HDLC
Frame Relay
UDP L2TP Version (Optional)
Cookie (Up to 64 Bits, Optional)
Ethernet
Session ID (32 Bits)
ATM (Cell or Packet)
Payload
MPLS
IP
22
L2TPv3 as Next Phase Softwires Solution

• PPP over L2TPv3
• L2TPv3 can provide the same softwires solution as
  described with PPP over L2TPv2
• Support for PPP tunneling for L2TPv3
• draft-ietf-l2tpext-l2tp-ppp-03.txt

23
L2TPv3 as Next Phase Softwires Solution

• IP over L2TPv3
• L2TPv3 also offers a more optimal softwires
  solution with its capability to directly tunnel
  IP frames
• IP Pseudowire support
• draft-ietf-l2tpext-pwe3-ip-01
• IP Pseudowire Type has the following advantages
• Not necessary to negotiate PPP at session
  initiation
• Not necessary to include PPP encap in data
• Authentication is available at the tunnel level
• Implies one session per tunnel
• New AVPs to provide basic IPCP / IPv6CP Address
  assignment services are required

24
L2TPv3 (RFC 3931) AdvantagesEncap Optimization
PPP over L2TPv3 over UDP (Sequencing
disabled) Without optional cookie 18 bytes With
optional cookie 26 Bytes
IP over L2TPv3 over UDP (Sequencing
disabled) Without optional cookie 16 Bytes With
optional cookie 24 bytes
IP over L2TPv3 over IP (Sequencing
disabled) Without optional cookie 4 bytes With
optional cookie 12 Bytes
IPv4 / IPv6
IPv4 / IPv6
IPv4 / IPv6
Session Id
UDP (8 bytes)
UDP (8 bytes)
Cookie (opt. to 8 bytes)
Flags Ver
Flags Ver
Session Id
Session Id
Payload
Cookie (opt. to 8 bytes)
Cookie (opt. to 8 bytes)
PPP Pld
Payload
Payload
25
IPv6 over IPv4 Softwire with L2TPv3 Case 1 CPE
as Softwire Initiator
LNS
Dual AF CPE
IPv4
IPv6 Payload
L2TPv3 o IPv4
/64 Interface ID assignment or uniqueness check
via new L2TPv3 AVPs
/64 prefix
RA
/48 prefix DNS, etc
/64 prefixes
DHCPv6 PD
RA
DNS, etc
DHCP
ISP to Dual AF CPE PD and Auto-Config
Dual AF CPE to Hosts Auto-Config
26
IPv6 over IPv4 Softwire with L2TPv3 Case 2
Router behind CPE as Softwire Initiator
LNS
IPv4
CPE
Dual AF Router
IPv6 Payload
L2TPv3 o UDP o IPv4
/64 Interface ID assignment or uniqueness check
via new L2TPv3 AVPs
/64 prefix
RA
/48 prefix DNS, etc
/64 prefixes
RA
DHCPv6 PD
DNS, etc
DHCP
ISP to Dual AF Router PD and Auto-Config
Dual AF Router to Hosts Auto-Config
27
IPv6 over IPv4 Softwire with L2TPv3 Case 3
Host as Softwire Initiator
LNS
IPv4
CPE
Dual AF Host
IPv6 Payload
L2TPv3 o UDP o IPv4
/64 Interface ID assignment or uniqueness check
via new L2TPv3 AVPs
/64 prefix
RA
DNS, etc
DHCPv4/v6
ISP to Dual AF Host Auto-Config
28
IPv4 over IPv6 Softwire with L2TPv3 Case 1 CPE
as Softwire Initiator
LNS
Dual AF CPE
IPv6
IPv4 Payload
L2TPv3 o IPv6
Private IPv4 addresses and DNS, etc.
DHCP
IPv4 Address Assignment and DNS via new L2TPv3
AVPs
ISP to Dual AF CPE IP Assignment and Auto-Config
Dual AF CPE to Hosts IP Assignment and Auto-Config
29
IPv4 over IPv6 Softwire with L2TPv3 Case 2
Router behind CPE as Softwire Initiator
LNS
IPv6
CPE
Dual AF Router
IPv4 Payload
L2TPv3 o IPv6
Private IPv4 addresses and DNS, etc.
IPv4 Address Assignment and DNS via new L2TPv3
AVPs
DHCP
ISP to Dual AF Router IP Assignment and
Auto-Config
Dual AF Router to Hosts IP Assignment and
Auto-Config
30
IPv4 over IPv6 Softwire with L2TPv3 Case 3
Host as Softwire Initiator
LNS
IPv6
CPE
Dual AF Host
IPv4 Payload
L2TPv3 o IPv6
IPv4 Address Assignment and DNS via new L2TPv3
AVPs
ISP to Dual AF Host IP Assignment and Auto-Config
31
L2TPv3 Enhanced Security

• Enhanced Control Plane Security
• Message Digest is calculated with entire control
  message
• Message Digest is calculated for all control
  message types
• Data Plane Security
• Provides an additional layer of defense for data
  packets, over and above ACLs, with the use of a
  simple cookie

32
L2TPv3 Security What is the L2TPv3 Cookie?
Session ID (32 Bits)
Cookie (up to 64 Bits)

• The L2TPv3 Cookie is a cryptographically random
  value, present in each L2TPv3 packet
• Chosen by the receiver, associated with a Session
  ID, and signaled to the sender
• Cookies in the header must match upon receipt,
  otherwise the packet is dropped
• Provides an additional layer of security at a
  very important place before switching packets
  out of the core and into the customer premises
• Casts a strategic balance for the SP Stronger
  than ACLs, but less complex than IPSec encryption
  and key negotiation

33
Summary of L2TPv3 Changes

• Accounting RFC similar to RFC 2867
• MIB RFC similar to RFC 3371
• Definition of AVPs to support basic IPCP and
  IPv6CP functions

34
L2TP vs IPsec ESP Tunnel

• L2TP has an in band control plane
• Inability to transmit data usually results in
  tunnel setup failure
• Failures in data transport are usually result in
  protocol keep alive failures
• L2TPv3 VCCV can detect failures at the data
  switching level
• L2TP infrastructure already exists for large
  scale data transport

35
L2TP vs GRE

• GRE doesnt specify a control plane
• The control plane must be provided by some other
  protocol
• An in band control plane is not possible