Softwires Hub & Spoke with L2TP

Maria Alice Dos Santos, Cisco Bill Storer, Cisco Satisfying Softwires Requirements with L2TP • There are 2 versions of L2TP: – L2TPv2 (RFC 2661) – L2TPv3 (RFC 3931)

• Both versions can satisfy the Softwires requirements with some changes – For L2TPv2 the changes are very small – For L2TPv3 the changes are larger but provide extra function L2TP and NAT

• L2TP supports UDP encapsulation – For L2TPv2, UDP encapsulation is mandatory – For L2TPv3 UDP encapsulation is optional

• UDP encapsulation allows simple traversal of NAT L2TP and Security

• L2TP supports tunnel authentication – Can authenticate the host initiating the tunnel

• L2TP supports PPP encapsulation – Can authenticate the PPP user within the tunnel

• L2TPv3 offers data channel security against malicious data insertion by requiring transmission and validation of a variable length cookie by the peers L2TP and Management

• L2TP provides a tunnel keep alive mechanism

• L2TPv2 has accounting and MIB support – RADIUS Accounting extension for tunnel (RFC 2867) – L2TPv2 MIB RFC 3371

• L2TPv3 has VCCV support – Provides diagnostic and fault detection capabilities at the session level – draft-ietf-pwe3-vccv-07 L2TP and Multicast

• PIM or IGMP messages pass through the L2TP tunnel transparently • At the Hub router, each spoke appears as a PPP connection • Multicast environment here is identical to that of an edge router terminating large numbers of PPP connections L2TP and IPsec

• RFC 3193 - Securing L2TP using IPsec

• RFC 3948 - UDP Encapsulation of IPsec ESP Packets

• ESP must be supported

• Transport mode must be supported

A typical L2TP/IPsec frame is as follows:

IP | ESP header | UDP | L2TP | PPP | ESP trailer | Auth trailer L2TP and Scalability

• L2TPv2 is widely used to provide large scale IPv4 services today. – Case in point being NTT

• Routers currently support high volume L2TPv2 – Tens of thousands of concurrent L2TPv2 sessions – Call setup rates in the hundreds per second

• L2TPv3 can be more efficient than l2tpv2 L2TP as Softwire Standard

• L2TPv2 meets IPv6 over IPv4 softwires requirements today

• L2TPv2 is currently used in multiple IPv6 over IPv4 solutions

• L2TPv2 RFC2661 is 99% ready for the IPv4 over IPv6 solution

• L2TPv3 is a superset of L2TPv2, with enhancements in security, scalability and flexibility for future extensions

• L2TPv3 is not far from meeting all softwires requirements

• L2TPv3 RFC3991 automatic fallback to L2TPv2 allows seamless transition from L2TPv2 to L2TPv3 L2TPv2 as the Immediate Solution

• L2TPv2 is currently used in several IPv6 over IPv4 deployments

• Implementations of key components are readily available: – LNSes supporting L2TPv2 acting as tunnel terminator, supporting IPv6 over PPP (IPv6CP) and DHCPv6 server capabilities or proxy – Standalone DHCPv6 server – RADIUS support for IPv6 prefix delegation attributes – CPEs or home routers supporting L2TPv2, IPv6 over PPP (IPv6CP) and DHCPv6 client capabilities – Windows (i.e. Longhorn) supporting IPv6 over PPP and L2TPv2 over IPSec are becoming available in the near future

• The support for IPv4 over IPv6 with L2TPv2 requires the addition of IPv6 transport support for L2TPv2 (minor extension to RFC 2661). Besides that, IPv4 over PPP over L2TPv2 over IPv6 will work as in today’s L2TPv2 over IPv4 solutions IPv6 over IPv4 Softwire with L2TPv2: Case 1 – CPE as Softwire Initiator

LNS Dual IPv4 AF CPE

IPv6 o PPP

L2TPv2 o UDP o IPv4

IPv6CP: capable of /64 interface ID assignment or uniqueness check

RA /64 prefix DHCPv6 PD /48 prefix /64 prefixes DNS, etc RA DHCPv4/v6 DNS, etc

ISP to Dual AF CPE PD and Dual AF CPE to Hosts Auto-Config Auto-Config IPv6 over IPv4 Softwire with L2TPv2: Case 2 – Router behind CPE as Softwire Initiator

LNS

IPv4 CPE

Dual AF Router

IPv6 o PPP

L2TPv2 o UDP o IPv4

IPv6CP: capable of /64 interface ID assignment or uniqueness check

RA /64 prefix /48 prefix /64 prefixes DHCPv6 PD DNS, etc RA DHCPv4/v6 DNS, etc

ISP to Dual AF Router PD and Dual AF Router to Hosts Auto-Config Auto-Config IPv6 over IPv4 Softwire with L2TPv2: Case 3 – Host as Softwire Initiator

LNS

IPv4 CPE

Dual AF Host

IPv6 o PPP

L2TPv2 o UDP o IPv4

IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA DNS, etc DHCPv4/v6

ISP to Dual AF Host Auto-Config IPv4 over IPv6 Softwire with L2TPv2: Case 1 – CPE as Softwire Initiator

LNS Dual IPv6 AF CPE

IPv4 o PPP

L2TPv2 o UDP o IPv6 Private IPv4 IPCP: assigns global IPv4 address and DNS, etc DHCP addresses and DNS, etc.

ISP to Dual AF CPE IP Dual AF CPE to Hosts IP Assignment and Auto-Config Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv2: Case 2 – Router behind CPE as Softwire Initiator

LNS

IPv6 CPE

Dual AF Router

IPv4 o PPP

L2TPv2 o UDP o IPv6

Private IPv4 IPCP: assigns global IPv4 address and DNS, etc DHCP addresses and DNS, etc.

ISP to Dual AF Router IP Dual AF Router to Hosts IP Assignment and Auto-Config Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv2: Case 3 – Host as Softwire Initiator

LNS

IPv6 CPE

Dual AF Host

IPv4 o PPP

L2TPv2 o UDP o IPv6

IPCP: assigns global IPv4 address and DNS, etc

ISP to Dual AF Host IP Assignment and Auto-Config IPv6 o L2TPv2 o IPv4 Today

• NTT – http://www.ntt.com/release_e/news05/0011/1121.ht ml – http://www.networkworld.com/news/2005/122205- ntt-ipv6.html

• Point6 – draft-toutain-softwire-point6box-00

• Cisco – http://www.cisco.com/en/US/products/ps6553/pro ducts_data_sheet09186a008011b68d.html Why move to L2TPv3?

• Cons of L2TPv2 as compared to L2TPv3:

– Weaker Tunnel Authentication mechanism which validates only the header portion of the control messages and covering only SCCRQ, SCCRP and SCCCN message types

– No built-in data channel security. Must be bundled with IPSec to achieve security

– 16-bits session Ids as compared to L2TPv3 32-bits session Ids Why move to L2TPv3? (Cont.) Cons of L2TPv2 as compared to L2TPv3:

–Tunnel/Session Setup latency:

L2TP: SCCRQ, SCCRP, SCCCN, ICRQ, ICRP, ICCN PPP LCP PPP CHAP (per-user authentication is optional) IPCP

Since L2TPv3 offers the option to tunnel IP frames directly without PPP, using L2TPv3 can eliminate PPP overhead Why move to L2TPv3? (Cont.) Cons of L2TPv2 as compared to L2TPv3:

• L2TPv2 Data Encapsulation – PPP over L2TPv2 over UDP – 20 Bytes

IPv4 / IPv6

UDP (8 bytes) – Sequencing disabled – Length field present Flags & Ver Len (opt) Tunnel Id Session Id PPP PId & 0xFF03

Payload

• L2TPv3 allows further encapsulation optimization by offering the option to run over IP (instead of mandating UDP) and to tunnel IP frames without PPP L2TPv3 for the Future

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 PPP

IPv4 or IPv6 Header HDLC Frame UDP + L2TP Version (Optional) Relay

Cookie (Up to 64 Bits, Optional) Ethernet Session ID (32 Bits) ATM (Cell Payload or Packet)

MPLS

IP L2TPv3 as Next Phase Softwires Solution

PPP over L2TPv3

• L2TPv3 can provide the same softwires solution as described with PPP over L2TPv2

• Support for PPP tunneling for L2TPv3 – draft-ietf-l2tpext-l2tp-ppp-03.txt L2TPv3 as Next Phase Softwires Solution IP over L2TPv3 • L2TPv3 also offers a more optimal softwires solution with its capability to directly tunnel IP frames

• IP Pseudowire support: – draft-ietf-l2tpext-pwe3-ip-01 • IP Pseudowire Type has the following advantages – Not necessary to negotiate PPP at session initiation – Not necessary to include PPP encap in data • Authentication is available at the tunnel level – Implies one session per tunnel • New AVPs to provide basic IPCP / IPv6CP Address assignment services are required L2TPv3 (RFC 3931) Advantages: Encap Optimization

PPP over L2TPv3 over UDP IP over L2TPv3 over UDP IP over L2TPv3 over IP (Sequencing disabled) (Sequencing disabled) (Sequencing disabled) Without optional cookie – 18 bytes Without optional cookie – 16 Bytes Without optional cookie – 4 bytes With optional cookie – 26 Bytes With optional cookie – 24 bytes With optional cookie – 12 Bytes

IPv4 / IPv6 IPv4 / IPv6 IPv4 / IPv6

UDP (8 bytes) UDP (8 bytes) Session Id

Flags & Ver Flags & Ver Cookie (opt. to 8 bytes)

Session Id Session Id Payload Cookie (opt. to 8 bytes) Cookie (opt. to 8 bytes)

PPP Pld Payload Payload IPv6 over IPv4 Softwire with L2TPv3: Case 1 – CPE as Softwire Initiator

LNS Dual IPv4 AF CPE

IPv6 Payload

L2TPv3 o IPv4

/64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs

RA /64 prefix DHCPv6 PD /48 prefix /64 prefixes DNS, etc RA DHCP DNS, etc

ISP to Dual AF CPE PD and Dual AF CPE to Hosts Auto-Config Auto-Config IPv6 over IPv4 Softwire with L2TPv3: Case 2 – Router behind CPE as Softwire Initiator

LNS

IPv4 CPE

Dual AF Router

IPv6 Payload

L2TPv3 o UDP o IPv4

/64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs /64 prefix RA /48 prefix /64 prefixes DHCPv6 PD DNS, etc RA DHCP DNS, etc

ISP to Dual AF Router PD and Dual AF Router to Hosts Auto-Config Auto-Config IPv6 over IPv4 Softwire with L2TPv3: Case 3 – Host as Softwire Initiator

LNS

IPv4 CPE

Dual AF Host

IPv6 Payload

L2TPv3 o UDP o IPv4

/64 Interface ID assignment or uniqueness check via new L2TPv3 AVPs /64 prefix RA DNS, etc DHCPv4/v6

ISP to Dual AF Host Auto-Config IPv4 over IPv6 Softwire with L2TPv3: Case 1 – CPE as Softwire Initiator

LNS Dual IPv6 AF CPE

IPv4 Payload

L2TPv3 o IPv6

Private IPv4 IPv4 Address Assignment and DNS DHCP addresses and via new L2TPv3 AVPs DNS, etc.

ISP to Dual AF CPE IP Dual AF CPE to Hosts IP Assignment and Auto-Config Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv3: Case 2 – Router behind CPE as Softwire Initiator

LNS

IPv6 CPE

Dual AF Router

IPv4 Payload

L2TPv3 o IPv6

Private IPv4 IPv4 Address Assignment and DNS DHCP addresses and via new L2TPv3 AVPs DNS, etc.

ISP to Dual AF Router IP Dual AF Router to Hosts IP Assignment and Auto-Config Assignment and Auto-Config IPv4 over IPv6 Softwire with L2TPv3: Case 3 – Host as Softwire Initiator

LNS

IPv6 CPE

Dual AF Host

IPv4 Payload

L2TPv3 o IPv6

IPv4 Address Assignment and DNS via new L2TPv3 AVPs

ISP to Dual AF Host IP Assignment and Auto-Config L2TPv3 Enhanced Security

• Enhanced Control Plane Security – Message Digest is calculated with entire control message – Message Digest is calculated for all control message types

• Data Plane Security – Provides an additional layer of defense for data packets, over and above ACLs, with the use of a simple cookie L2TPv3 Security – What is the L2TPv3 “Cookie”?

Session ID (32 Bits) Cookie (up to 64 Bits)

• The L2TPv3 Cookie is a cryptographically random value, present in each L2TPv3 packet • Chosen by the receiver, associated with a Session ID, and signaled to the sender • Cookies in the header must match upon receipt, otherwise the packet is dropped • Provides an additional layer of security at a very important place: before switching packets out of the core and into the customer premises • Casts a strategic balance for the SP: Stronger than ACLs, but less complex than IPSec encryption and key negotiation Summary of L2TPv3 Changes

• Accounting RFC similar to RFC 2867

• MIB RFC similar to RFC 3371

• Definition of AVPs to support basic IPCP and IPv6CP functions L2TP vs IPsec ESP Tunnel

• L2TP has an in band control plane – Inability to transmit data usually results in tunnel setup failure – Failures in data transport are usually result in protocol “keep alive” failures – L2TPv3 VCCV can detect failures at the data switching level

• L2TP infrastructure already exists for large scale data transport L2TP vs GRE

• GRE doesn’t specify a control plane – The control plane must be provided by some other protocol – An “in band” control plane is not possible