Layer 2 Tunneling Protocol
The Layer 2 Tunneling Protocol (L2TP) tunnels PPP over a UDP connection. The L2TP connections offer assured, flow controlled sessions between peer VPN routers. A single tunnel supports two connections—a control connection and a data connection. The control connection performs bandwidth management and session management. The control session also authorizes and verifies the identity of the data session user.
Once the control session is established and verified, user data can pass over the tunnel. The payload packet overhead contains sequence numbers and identifiers used for flow control and multilink operation.
Like the source protocols, L2TP supports the features below.
- Authentication: L2TP authenticates at the VPN access point and the corporate access point. VPN authentication relies upon user names, passwords, calling line ID, and/or a dialed number information string. The PPP authentication protocols—CHAP, PAP, and EAP—provide corporate access authentication.
- Addressing: Because L2TP acts at the Data Link Layer, addressing is transparent to the tunnel. Nonregistered and non-IP addressing is possible.
- Authorization: L2TP provides a transparent tunnel between the user device and the corporate network. The user’s identification is verified and the user receives all authorizations as if they were directly connected to the network.
- Accounting: L2TP provides accounting data on packets, octets, connect times, as well as connection attempts.
Protocols competing to accomplish the same task confuse end-users and intimidate vendors trying to decide what functionality to put into their products. A lack of standards in any technology generally limits the overall acceptance of the technology. A clear, well-defined standard, on the other hand, aids both end-users and vendors alike.
The early attempts at Layer 2 tunneling over IP fell into this conundrum. The Layer 2 Forwarding (L2F) protocol, developed by Cisco, and the Point-to-Point Tunneling Protocol (PPTP), developed by Microsoft, were competing for market share and vendor implementations. Nobody doubted the need for a Layer 2 tunneling protocol, but the competition between these two standards was hurting the market and thus, hurting the bottom line of both these companies.
To resolve this issue, Cisco and Microsoft pooled their development efforts to create the Layer 2 Tunneling Protocol (L2TP, Standard Track RFC 2661). This protocol was bound to be successful—if for no other reason than the marketing weight these two industry leaders could put behind it. The ink was not dry on RFC 2661 before vendors incorporated significant support for L2TP in their products.
Defined simply, L2TP is responsible for creating a virtual Point-to-Point Protocol (PPP) tunnel. Where normally a Layer 2 PPP tunnel is terminated at a Layer 3 router, L2TP allows a virtual PPP tunnel to be extended over an IP backbone. Since L2TP was designed to combine the best of its predecessors, it includes the characteristics listed below.
- Remote hosts appear directly attached to the corporate network.
- Protocols other than IP (e.g., IPX), and non-routable protocols (e.g., SNA) can be tunneled over an IP backbone.
- By working as a PPP extender, L2TP can take advantage of PPPs authentication schemes (e.g., PAP and CHAP).
- L2TP can use PPP’s Network Control Protocol (NCP) to dynamically negotiate IP address assignment to the remote client.
- By allowing a single control channel to control a tunnel that multiplexes multiple user sessions, L2TP is more scalable than PPTP or L2F.
- L2TP has more flexibility than PPTP or L2F by the inclusion of two tunnel modes—compulsory and voluntary.
== Compulsory and Voluntary L2TP Tunneling ==. L2TP supports two types of tunnel schemes—compulsory and voluntary. These two schemes differ only in where the logical PPP endpoints exist.
Compulsory L2TP Tunneling
The visual depicts compulsory tunneling, where the L2TP tunnel is created between the L2TP access controller (LAC) and the L2TP network server (LNS). The remote client has no knowledge of a tunnel being created. Compulsory tunneling is advantageous to corporations looking to minimize the configuration work of hundreds or thousands of remote PCs, since none of the PCs needs L2TP client software installed on them. Also, since remote users are unaware of the existence of a tunnel and yet must use it, access to the corporate network can be tightly controlled by permissions assigned per tunnel and authentication per LAC—and all this configuration can occur at a central location.
Since the remote client creates an actual PPP connection to the LAC and then is tunneled between the LAC and the LNS, there is no need for a globally routable IP address to be assigned to the client. The client IP address is usually taken out of the pool of the corporate IP address space. This conserves global IP addresses, provides operability with some older LAN applications that authenticate based on IP address, and allows the corporate network and firewall security systems complete control over the routing and filtering of the remote users network and Internet access.
Having the LAC act as the initiator of the tunnel for potentially thousands of client connections also allows a single control channel to manage every session multiplexed into one tunnel. Hence, this solution is more scaleable than past attempts.
Compulsory tunneling is also popular with ISPs looking to provide value-added services to their corporate customers. The ISP can sell the LAC (and possibly the LNS), and can configure and maintain them for the corporate customer, thus creating customer loyalty and reducing churn.
Voluntary L2TP Tunneling
One of the factors that contributed to the success of PPTP, despite its limitations, was that any Microsoft operating system could create a Layer 2 tunnel to any Microsoft server accepting PPTP connections, regardless of the intermediate network.
L2TP, as a successor to PPTP, incorporates this same functionality. With L2TP, this client-to-LNS tunneling is called voluntary tunneling. As is the case with PPTP, voluntary tunneling is popular with companies needing a Layer 2 VPN “on the fly,” as it can be set up very quickly, without needing to coordinate with a third party like an ISP.
Despite its advantages in speed to deployment and flexibility, voluntary tunneling suffers some technical disadvantages compared to compulsory tunneling.
- Addressing: Since the remote client creates a regular PPP connection to an ISP that is unaware of any tunneling, globally routable IP addresses must be assigned to the client.
- Scalability: Each client, since it initiates its own tunnel, is responsible for creating a control channel to manage that tunnel, which results in a separate control channel, tunnel, and session for every remote client using voluntary tunneling. This additional traffic and processing overhead limits the scalability of this solution.
Other issues with voluntary tunneling are less technical and more social. With voluntary tunneling the corporate LNS loses the ability to control network use of the remote client. While it can still allow or deny access to corporate resources, it can no longer do this filtering by assuming that the remote client is part of the same IP network as the rest of the LAN.
Furthermore, the client, with its globally routable IP address, can function on the Internet independently of the corporate firewall and, therefore, independently of the corporate security policies.
Some ISPs are also not enthusiastic about this tunneling option—even though it is the most widely deployed tunneling version of L2TP—as they feel it deprives them of potential extra sales to corporate customers in the VPN market. Some ISPs filter this traffic and require remote clients to pay a business premium for this traffic.
L2TP and Security
L2TP primarily provides vendors and end-users a VPN solution. In terms of security features, however, L2TP only uses a simple encryption algorithm for hiding control channel data (e.g., password and configuration values) and a simple shared-key method of authenticating LAC and LNS peers. L2TP does not make any provision for the authentication, integrity, or privacy of the data it tunnels. L2TP is only designed to extend a PPP tunnel.
Secure IP (IPSec), however, is a perfect choice for adding security to an L2TP tunnel, since L2TP travels over an IP infrastructure and is itself tunneled in an IP/UDP packet. With IPsec the entire L2TP tunnel can be secured from LAC to LNS in the case of compulsory tunneling, and from the remote client to LNS in the case of voluntary tunneling. The VPN Consortium (VPNC), whose members include Cisco and Microsoft, is a proponent of combining L2TP’s multiprotocol support with the encryption and authentication capabilities of IPSec. With L2TP under the umbrella of IPSec security, the VPNC calls this approach “L2TP under IPSec.”
Some large service providers and operating systems with significant market share (e.g., Windows) are using this combined L2TP/IPSec solution for their VPN offerings. The Layer 2 tunnel provides support for non-IP traffic. PPP permits the use of popular PAP/CHAP for authentication. PPP authentication can also be integrated with Remote Authentication Dial-In User Service (RADIUS) architectures. The NCP portion of PPP allows remote client configuration. Encapsulation of this functionality inside a secure IPSec tunnel then provides authenticity, integrity, and encryption of the tunneled data.