Layer 2 Forwarding
To compete in the VPN market, Cisco announced the Layer 2 Forwarding (L2F) protocol. Defined in RFC 2341, L2F is a data link (aka frame) tunneling protocol. The L2F payload consists of common data link protocols such as PPP and the SLIP. The L2F tunnel extends between the NAS and a remote home gateway.
Since L2F extends the remote user’s Link Layer to the home gateway (by tunneling through the local NAS and the intervening backbone), the user appears to the home router/gateway as any other directly connected client. You could say that L2F allows the Link Layer to be terminated by the home gateway while extending the home gateway’s remote access hardware to the ISP’s NAS. As with most Layer 2-based VPNs and Transport Layer 2 protocols, such as PPP, this means that the home gateway performs user authentication, authorization, accounting, and address assignment while leveraging the Internet’s ubiquitous support for dial-in access (i.e., users now make local calls via L2F, which provides them access to a distant home gateway).
In L2F, the fact that the home gateway assigns addresses, and not the local NAS, is worth discussing. A normal dial-up Internet user must be assigned a registered IP address from the ISP’s address space. Since assigned addresses vary based on the number dialed, setting up security filters to protect the home network from outside users can be challenging. Yet because L2F requires that the home gateway assign the address, the remote users can be given addresses from within the home network’s address space; this is true even if the home network is using nonregistered or local use only IP addresses. Allowing the home network to assign remote users addresses from within its addressing space can improve security and reduce administrative burdens.
Since the NAS does not process or interpret the tunneled frames’ payload, L2F also allows non-IP protocols (e.g., IPX) to be transported over an IP-based internetwork. The upper-layer protocol independence of L2F means that a VPN user could build an AppleTalk or NetWare-based intranet, which is in turn supported by an IP backbone such as the Internet.
Another benefit of L2F is that the remote users’ machines require no additional software. In fact, the whole L2F environment could be completely transparent to the users. At the home gateway, the only new software required is the L2F protocol; the existing PPP driver, Network Layer protocols, and applications remain unchanged.
For maximum flexibility, the L2F protocol was designed to be independent of any particular transport but it is currently transported by UDP-based encapsulation and IP transport.