SoftwiresL2TPv2 Hubs & Spokes

for Phase IMaria Alice Dos Santos, Cisco

Jean Francois Tremblay, Hexago

Bill Storer, Cisco

Jordi Palet, Consulintel

Carl Williams, KDDI

and others

65th IETF - Dallas, TX, USA

L2TPv2 VS TSP

• At Softwires interim meeting in Hong Kong, multiple protocols (ATS6, TSP, L2TPv2) have been proposed as the Phase I Hubs & Spokes Softwire solution

• At interim meeting, non-technical requirement evaluation for the proposed protocols was conducted:

– The two leading protocols are L2TPv2 and TSP– L2TPv2 average score is 97 (rounded)– TSP average score is 86 (rounded)

• Technical comparison between L2TPv2 and TSP has been conducted and discussed on mailing list

• WG selected L2TPv2 as the Phase I Hubs & Spokes solution based on the comparison results of the following categories

Standardization Status

L2TPv2 (RFC2661) has been standardized since 1999

– RFC 2661 - Layer Two Tunneling Protocol (PS)– RFC 2867 - RADIUS Accounting Modifications for Tunnel Protocol Support

(Inf.)– RFC 3371 - Layer Two Tunneling Protocol "L2TP" Management Information

Base (PS)– RFC 3193 - Securing L2TP using IPsec (PS)– RFC 3948 - UDP Encapsulation of IPsec ESP Packet (PS)– RFC 3145 - L2TP Disconnect Cause Information (PS)– RFC 3308 - Layer Two Tunneling Protocol Differentiated Services Extension

(PS)

TSP has been sent to the RFC editor as individual submission

– draft-vg-ngtrans-tsp-00.txt submitted in 2001

– draft-blanchet-v6ops-tunnelbroker-tsp-03.txt

Major Router Vendors Cisco, Juniper, Redback, Nortel, Laurel (with IPv6 support)

Linux/POSIX-based OSs (GPL) Sourceforge.net, Roaring Penguin, etc

CPE Implementations Linksys v6 o v4 clients have been implemented by Point6 and NTT (GPL-based)

Native Microsoft Windows Client

• v4 o v4 client supported on all Windows• v6 o v4 client supported on Vista / Longhorn

(PPPv6, DHCPv6 included, to be released end of 2006)

Downloadable Windows XP Client

v6 o v4 client by NTT, Trumpet

v6 o v4 and v4 o v6 client by SixXs (to be released in 2 months)

Source Code Availability • GPL: Roaring Penguin, etc• Commercial Windows / Linux / Mac implementations:

Paravirtual and others

TSP Server Hexago

TSP CPE Client Draytek, Panasonic, NEC (GPL-based)

Independent Implementations ENST, University of Southampton, SixXs (Windows and Unix)

InteroperabilityL2TPv2 protocol has been proven by numerous independent / interoperable implementations

One TSP server implementation exists while TSP client has been implemented by multiple entities:

ScalabilityL2TPv2 scalability has been proven in large scale commercial VPN deployments:

– L2TPv2 is proven to be scalable to the millions of subscribers in multiple IPv4 o IPv4 VPN deployments

– Upper Tens of thousands of concurrent L2TPv2 sessions on a single node (or "LNS")

– Call setup rates in the hundreds per second

TSP scalability has yet to be demonstrated in multiple-server commercial settings:

– Freenet6 has 10,000 tunnels now on single server

– Have tested 50,000 tunnels on one broker

Deployment ExperienceL2TPv2 Deployment Experience

– L2TPv2 is widely used in large scale IPv4 o IPv4 VPN commercial deployments , with AAA, Accounting and MIB well integrated in the solutions

• Cases in point being NTT, BT, AOL (Millions tunnels each)

– L2TPv2 is used in IPv6 o IPv4 deployments:• Point6• NTT commercial IPv6 tunnel service

TSP deployment Experience:

– Freenet6 TSP commercial IPv6 over IPv4 deployment since 2003 (10K tunnels)

– KDDI TSP trial IPv4 over IPv6 deployment (1000 tunnels)

– AT&T and Wanadoo trials, no numbers.

– NTT and DoD have on-going trials

L2TPv2 TSP

Standardized Accounting and MIB:• RFC 2867 “RADIUS Accounting extension for tunnel” (Inf.)

• RFC 3371 “L2TP MIB” (PS)• RFC 3145 “L2TP Disconnect Cause Information” (PS)

TSP has no standardized Accounting and MIB

• L2TPv2 uses in-band signaling (control plane in sync with data connectivity status)

• L2TPv2 control plane stays for the life of tunnel(tunnel maintenance supported after setup phase)

• TSP uses in-band signaling also

• TSP control plane is ephemeral;

goes away after tunnel setup phase(i.e. TSP server has to tear down / re-establish tunnel if keepalive interval needs adjustment)

L2TPv2 High-availability• draft-ietf-l2tpext-failover-06.txt - "Fail Over extensions for L2TP "failover“

OAM

L2TPv2 TSP

Standardized Full Tunnel Protection with IPsec (L2TPv2 o IPsec)• RFC 3193 “Securing L2TP using IPsec”• RFC 3948 “UDP Encapsulation of IPsec ESP Packets

No security or encryption draft or standard specified for TSP

• L2TPv2 supports a built-in mutual

tunnel authentication

• L2TPv2 inherits PPP per-user

authentication

TSP supports mutual authentication

Data encapsulated in session header with tunnel / session Ids

(provides better security than IP-in-IP protocol 41 encapsulation)

TSP uses IP-in-IP (protocol 41) encapsulation, “easy to spoof”

(RPF check is to be used)

Authentication/Security

L2TPv2 Phase I Hubs & Spokes Softwire Solution

• L2TPv2 Hubs & Spokes Softwire framework draft– to be delivered (LC) in July 2006

• Document / recommend / define L2TPv2 Hubs & Spokes Softwire solution implementation specifics

• Examples of topics to be covered by framework draft: (credits to Jean Francois Tremblay, Jordi Palet, Ole Troan for initial list of

topics)– How L2TPv2 satisfies H&S Softwire requirements– Deployment scenarios with L2TPv2 and other components involved in the H&S

solution– Standardization status of L2TPv2 and other components involved in H&S

solution– Provisioning models (Addresses, Prefix Delegation, DNS, etc)– L2TPv2 tunnel setup / maintenance specifics in H&S solution– AAA integration / infrastructure and statistics– Security analysis for L2TPv2 H&S – Implementation Status– others?

IPv6 over IPv4 Softwire with L2TPv2: Case 1 – Host CPE as Softwire Initiator

LNS

/64 prefix

DNS, etcRA

DHCPv4/v6

IPv6CP: capable of /64 interface ID assignment or uniqueness check

IPv4

ISP to Dual AF Host CPEAuto-Config

Dual AF Host CPE

IPv6 o PPP

L2TPv2 o UDP o IPv4

LAC

IPv6 over IPv4 Softwire with L2TPv2: Case 2 – CPE as Softwire Initiator

IPv6 o PPP

LNSLAC

DualAF

CPE

L2TPv2 o UDP o IPv4

/64 prefix

/48 prefixDNS, etc

RA

DHCPv6 PD

IPv6CP: capable of /64 interface ID assignment or uniqueness check

/64 prefixesRA

DNS, etcDHCPv4/v6

IPv4

ISP to Dual AF CPE PD and Auto-Config

Dual AF CPE to HostsAuto-Config

IPv6 over IPv4 Softwire with L2TPv2: Case 3 – Host behind CPE as Softwire Initiator

LNS

CPE

/64 prefix

DNS, etcRA

DHCPv4/v6

IPv6CP: capable of /64 interface ID assignment or uniqueness check

IPv4

ISP to Dual AF Host Auto-Config

Dual AF Host

IPv6 o PPP

L2TPv2 o UDP o IPv4

LAC

IPv6 over IPv4 Softwire with L2TPv2: Case 4 – Router behind CPE as Softwire Initiator

LNS

CPE

/64 prefix

/48 prefixDNS, etc

RA

DHCPv6 PD

IPv6CP: capable of /64 interface ID assignment or uniqueness check

/64 prefixesRA

DNS, etcDHCPv4/v6

IPv4

ISP to Dual AF Router PD and Auto-Config

Dual AF Router to Hosts Auto-Config

LACDual AF Router

IPv6 o PPP

L2TPv2 o UDP o IPv4

IPv4 over IPv6 Softwire with L2TPv2: Case 1 – Host CPE as Softwire Initiator

LNS

Dual AF Host CPE

IPv6

IPCP: assigns global IPv4 address and DNS, etc

ISP to Dual AF Host IP Assignment and Auto-Config

IPv4 o PPP

L2TPv2 o UDP o IPv6

LAC

IPv4 over IPv6 Softwire with L2TPv2: Case 2 – CPE as Softwire Initiator

IPv4 o PPP

LNS

L2TPv2 o UDP o IPv6

IPCP: assigns global IPv4 address and DNS, etcPrivate IPv4 addresses and DNS, etc.

DHCP

IPv6

LAC

DualAF

CPE

ISP to Dual AF CPE IP Assignment and Auto-Config

Dual AF CPE to Hosts IP Assignment and Auto-Config

IPv4 over IPv6 Softwire with L2TPv2: Case 3 – Host behind CPE as Softwire Initiator

LNS

CPE

Dual AF Host

IPv6

IPCP: assigns global IPv4 address and DNS, etc

ISP to Dual AF Host IP Assignment and Auto-Config

IPv4 o PPP

L2TPv2 o UDP o IPv6

LAC

IPv4 over IPv6 Softwire with L2TPv2: Case 4 – Router behind CPE as Softwire Initiator

LNS

CPE

LACDual AF Router

IPv6

IPCP: assigns global IPv4 address and DNS, etcPrivate IPv4 addresses and DNS, etc.

DHCP

ISP to Dual AF Router IP Assignment and Auto-Config

Dual AF Router to Hosts IP Assignment and Auto-Config

IPv4 o PPP

L2TPv2 o UDP o IPv6

IPv6 o L2TPv2 o IPv4 Today

• NTT – http://www.ntt.com/release_e/news05/0011/1121.html–

http://www.networkworld.com/news/2005/122205-ntt-ipv6.html

• Point6– draft-toutain-softwire-point6box-00

• Cisco– http://www.cisco.com/en/US/products/ps6553/product

s_data_sheet09186a008011b68d.html

L2TPv3 proposed as Phase II Hubs & Spokes Softwire Standard

• L2TPv3 is a superset of L2TPv2, with enhancements in security, scalability and flexibility for future extensions

• L2TPv3 RFC3991 automatic fallback to L2TPv2 allows seamless transition from L2TPv2 to L2TPv3 (Backward compatibility is key requirement for Phase II)

• L2TPv3 isn’t as widely implemented as L2TPv2

L2TPv3 for the Future0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

IPv4 or IPv6 Header

Session ID (32 Bits)

Cookie (Up to 64 Bits, Optional)

PayloadPayload

PPPPPP

Frame Frame RelayRelay

EthernetEthernet

ATM (Cell ATM (Cell or Packet)or Packet)

MPLSMPLS

HDLCHDLC

UDP + L2TP Version (Optional)

IPIP

Why move to L2TPv3?• Improvements with L2TPv3:

– Stronger Tunnel Authentication mechanism covering all control messages rather than just portions at tunnel setup

– Built-in lightweight data plane security. Still works with IPsec transport mode, but the built-in cryptographically random cookie gives extra protection against blind insertion attacks

– More efficient header encapsulation• 32-bit flat session ID, more efficient lookup in forwarding plane• Runs over either IP or UDP

– L2TPv3 can tunnel IP directly without PPP• Reduce tunnel/session setup time• Reduce data encap size

Phase II Hubs & Spokes Softwires with L2TPv3

• L2TPv3 Hubs & Spokes Softwire framework draft– Investigation starts in March (in background of Phase I work)– Progress will be presented in post-July 2006 Interim meeting– Framework draft to be delivered (LC) in November 2006

• Document / recommend / define L2TPv3 Hubs & Spokes Softwire solution implementation specifics– PPP over L2TPv3– IP over L2TPv3

• Additional potential items for Phase II:– DHCP Integration (as an AAA mechanism in addition to RADIUS)– Softwire Concentrator Auto Discovery– IP over L2TPv3 solution:

• Investigate solution without PPP– NAT Discovery– Mobility and Nomadicity

To be continued...