Layer 2 Tunneling Protocol (L2TP)
Layer Two Tunneling Protocol (L2TP) is an extension of the PPTP that is documented and defined in RFC 2661. L2TP is used to enable the operation of a VPN over the Internet. RFC 3193 defines using L2TP over a secure IPsec transport. In this approach, L2TP packets are exchanged over User Datagram Protocol (UDP) port 1701. IPsec Encapsulating Security Payload (ESP) protects UDP payload to ensure secure communication. Cisco and Microsoft agreed to merge their respective L2TP, thereby adopting the best features of two other tunneling protocols: PPTP from Microsoft and Layer 2 Forwarding (L2F) from Cisco.
The two main components that make up L2TP are the L2TP Access Concentrator (LAC), which is the device that physically terminates a call, and the L2TP Network Server (LNS), which is the device that terminates and possibly authenticates the PPP stream.
L2TP is similar to PPTP in its use of PPP and in both function and design. In this blending of two of the largest IT-related companies, some areas definitely benefited—specifically, the area of securing sensitive data.
L2TP Versus PPTP
L2TP and PPTP have a variety of features and benefits in common that reflect their original design and function within networking. These similarities are as follows:
• Both provide a logical transport mechanism for sending PPP payloads.
• Both provide tunneling and encapsulation so that PPP payloads based on any protocol can be sent across an IP network.
• Both rely on the PPP connection process to perform user authentication and protocol configuration.
Although L2TP and PPTP share some similarities, they are different in the following ways:
• With PPTP, data encryption begins after the PPP connection process (and therefore PPP authentication) completes. With L2TP/IPsec, data encryption begins before the PPP connection process.
• L2TP/IPsec connections use either DES or 3DES—again, we strongly prefer 3DES.
• PPTP requires only user-level authentication, and L2TP requires the same user-level authentication, as well as computer-level authentication through a computer certificate.
The following section discusses some of L2TP’s important benefits and how it can be used more securely than its predecessor, PPTP.
Benefits of L2TP
ISPs have been able to build VPN solutions using L2TP (because of its Internet standard status) as the method in which customers gain the benefits of VPNs within a carrier’s network. Some of the more specific benefits of L2TP include the following:
• Because it is standards-based, interoperability of L2TP-capable devices between vendors is greatly increased.
• L2TP VPNs have become products for service providers.
• In Cisco-powered networks, end-point-to-end-point quality of service (QoS) can be provided through the use of QoS technologies such as DiffServ to categorize, tag, and prioritize traffic accordingly.
• IPsec is responsible for the encryption, which is also standard-based (that is, defined in RFC 4308 most recently from 2005). IPsec provides per-packet data origin authentication (proof that the authorized user sent the data), data integrity (proof that the data was not modified in transit), replay protection (prevention from resending a stream of captured packets), and data confidentiality (prevention from interpreting captured packets without the encryption key). By contrast, PPTP provides only per-packet data confidentiality.
• Support for multiprotocol environments because, by design, L2TP can transport any routed protocols, including IP, IPX, and AppleTalk. L2TP also supports any WAN transmission technology, including Frame Relay, ATM, X.25, or SONET. It also supports LAN media such as Ethernet, Fast Ethernet, Token Ring, and FDDI.
In many ways, L2TP is the best of both vendors (Cisco and Microsoft); personally, I think Microsoft was the big winner because its tinkering with PPTP left a lot to be desired. The following section examines how L2TP functions.
L2TP Operation
As discussed previously, L2TP enables the support of legacy protocols and over the tunnel through the use of GRE. This permits an architecture to be created that enables L2TP tunnels to connect rather easily over the public Internet or dial-up.
Note
Traditional dialup networking services support only registered IP addresses, thereby limiting the types of applications implemented over VPNs.
Figure 6-2 shows a common architecture used when an L2TP network is implemented. In this figure, note that the equipment shown is what an ISP or carrier would use when implementing a complete LT2P solution with all the aspects and benefits that we have described. It is commonplace for companies to use a subset of this design on which to build based on current and future requirements.
Figure 6-2 L2TP Network Architectures
L2TP uses the Internet and its network connections to make it possible for its endpoints to be in different geographic locations. In Figure 6-2, the user’s PC creates a dial-up connection (Layer 2) to the L2TP Access Concentrator (LAC), which then authenticates them using the AAA server and forwards the connection, which is encrypted, to the L2TP network server.
L2TP’s greatest security strength is its use of standards-based IPsec, which provides connections with confidentiality, per packet authentication, and antireplay protection for control and data packets. In contrast, the Microsoft Point-to-Point Encryption (MPPE) used by PPTP encrypts only data and does not prevent forgery or replay, like IPsec does.
The following list describes the actual call sequence steps as home users used to dial in to their ISP to create an L2TP connection to their corporate office:
1. The remote user uses the analog telephone system or broadband to initiate a PPP connection from her home to an ISP.
2. The ISP network LAC accepts the connection at its point of presence (POP), and the PPP link is established.
3. After the end user and LNS negotiate LCP, the LAC partially authenticates the end user with CHAP or PAP. The username, domain name, or DNIS is used to determine whether the user is a VPDN client. This is how ISPs can offer these services because each company and user is unique. The AAA server connected to the LAC defines each user.
4. If the user is not a VPN client (using L2TP), authentication continues and the client accesses the Internet as a normal user. If the user is a VPN client, her connection names a specific endpoint (the L2TP network server [LNS]) where the user’s VPN terminates. The user’s information is sent to the AAA server, which is connected to the LNS, for further authentication.
5. The tunnel endpoints—the LAC and the LNS—authenticate each other before any data is transmitted from the user into the tunnel.
6. After the VPN tunnel (using L2TP) is created, an L2TP session is created for the end user to the corporate network.
The end result is that the exchange process appears to be between the dial-up client and the remote LNS exclusively, as if no intermediary device (that is, the LAC) is involved. Figure 6-3 offers a visual representation of the L2TP incoming call sequence with its own corresponding sequence numbers. Note that the sequence numbers in Figure 6-3 are not related to the sequence numbers described previously.
Figure 6-3 L2TP Creation Steps
The following section examines one of my favorite protocols and tools for IT professionals today: Secure Shell (SSH). It is also a robust security protocol; no good book could be written without mentioning it, so I have to include it!