softwires l2tpv2 hubs & spokes for phase i
DESCRIPTION
Softwires L2TPv2 Hubs & Spokes for Phase I. Maria Alice Dos Santos, Cisco Jean Francois Tremblay, Hexago Bill Storer, Cisco Jordi Palet, Consulintel Carl Williams, KDDI and others 65th IETF - Dallas, TX, USA. L2TPv2 VS TSP. - PowerPoint PPT PresentationTRANSCRIPT
SoftwiresL2TPv2 Hubs & Spokes
for Phase IMaria Alice Dos Santos, Cisco
Jean Francois Tremblay, Hexago
Bill Storer, Cisco
Jordi Palet, Consulintel
Carl Williams, KDDI
and others
65th IETF - Dallas, TX, USA
L2TPv2 VS TSP
• At Softwires interim meeting in Hong Kong, multiple protocols (ATS6, TSP, L2TPv2) have been proposed as the Phase I Hubs & Spokes Softwire solution
• At interim meeting, non-technical requirement evaluation for the proposed protocols was conducted:
– The two leading protocols are L2TPv2 and TSP– L2TPv2 average score is 97 (rounded)– TSP average score is 86 (rounded)
• Technical comparison between L2TPv2 and TSP has been conducted and discussed on mailing list
• WG selected L2TPv2 as the Phase I Hubs & Spokes solution based on the comparison results of the following categories
Standardization Status
L2TPv2 (RFC2661) has been standardized since 1999
– RFC 2661 - Layer Two Tunneling Protocol (PS)– RFC 2867 - RADIUS Accounting Modifications for Tunnel Protocol Support
(Inf.)– RFC 3371 - Layer Two Tunneling Protocol "L2TP" Management Information
Base (PS)– RFC 3193 - Securing L2TP using IPsec (PS)– RFC 3948 - UDP Encapsulation of IPsec ESP Packet (PS)– RFC 3145 - L2TP Disconnect Cause Information (PS)– RFC 3308 - Layer Two Tunneling Protocol Differentiated Services Extension
(PS)
TSP has been sent to the RFC editor as individual submission
– draft-vg-ngtrans-tsp-00.txt submitted in 2001
– draft-blanchet-v6ops-tunnelbroker-tsp-03.txt
Major Router Vendors Cisco, Juniper, Redback, Nortel, Laurel (with IPv6 support)
Linux/POSIX-based OSs (GPL) Sourceforge.net, Roaring Penguin, etc
CPE Implementations Linksys v6 o v4 clients have been implemented by Point6 and NTT (GPL-based)
Native Microsoft Windows Client
• v4 o v4 client supported on all Windows• v6 o v4 client supported on Vista / Longhorn
(PPPv6, DHCPv6 included, to be released end of 2006)
Downloadable Windows XP Client
v6 o v4 client by NTT, Trumpet
v6 o v4 and v4 o v6 client by SixXs (to be released in 2 months)
Source Code Availability • GPL: Roaring Penguin, etc• Commercial Windows / Linux / Mac implementations:
Paravirtual and others
TSP Server Hexago
TSP CPE Client Draytek, Panasonic, NEC (GPL-based)
Independent Implementations ENST, University of Southampton, SixXs (Windows and Unix)
InteroperabilityL2TPv2 protocol has been proven by numerous independent / interoperable implementations
One TSP server implementation exists while TSP client has been implemented by multiple entities:
ScalabilityL2TPv2 scalability has been proven in large scale commercial VPN deployments:
– L2TPv2 is proven to be scalable to the millions of subscribers in multiple IPv4 o IPv4 VPN deployments
– Upper Tens of thousands of concurrent L2TPv2 sessions on a single node (or "LNS")
– Call setup rates in the hundreds per second
TSP scalability has yet to be demonstrated in multiple-server commercial settings:
– Freenet6 has 10,000 tunnels now on single server
– Have tested 50,000 tunnels on one broker
Deployment ExperienceL2TPv2 Deployment Experience
– L2TPv2 is widely used in large scale IPv4 o IPv4 VPN commercial deployments , with AAA, Accounting and MIB well integrated in the solutions
• Cases in point being NTT, BT, AOL (Millions tunnels each)
– L2TPv2 is used in IPv6 o IPv4 deployments:• Point6• NTT commercial IPv6 tunnel service
TSP deployment Experience:
– Freenet6 TSP commercial IPv6 over IPv4 deployment since 2003 (10K tunnels)
– KDDI TSP trial IPv4 over IPv6 deployment (1000 tunnels)
– AT&T and Wanadoo trials, no numbers.
– NTT and DoD have on-going trials
L2TPv2 TSP
Standardized Accounting and MIB:• RFC 2867 “RADIUS Accounting extension for tunnel” (Inf.)
• RFC 3371 “L2TP MIB” (PS)• RFC 3145 “L2TP Disconnect Cause Information” (PS)
TSP has no standardized Accounting and MIB
• L2TPv2 uses in-band signaling (control plane in sync with data connectivity status)
• L2TPv2 control plane stays for the life of tunnel(tunnel maintenance supported after setup phase)
• TSP uses in-band signaling also
• TSP control plane is ephemeral;
goes away after tunnel setup phase(i.e. TSP server has to tear down / re-establish tunnel if keepalive interval needs adjustment)
L2TPv2 High-availability• draft-ietf-l2tpext-failover-06.txt - "Fail Over extensions for L2TP "failover“
OAM
L2TPv2 TSP
Standardized Full Tunnel Protection with IPsec (L2TPv2 o IPsec)• RFC 3193 “Securing L2TP using IPsec”• RFC 3948 “UDP Encapsulation of IPsec ESP Packets
No security or encryption draft or standard specified for TSP
• L2TPv2 supports a built-in mutual
tunnel authentication
• L2TPv2 inherits PPP per-user
authentication
TSP supports mutual authentication
Data encapsulated in session header with tunnel / session Ids
(provides better security than IP-in-IP protocol 41 encapsulation)
TSP uses IP-in-IP (protocol 41) encapsulation, “easy to spoof”
(RPF check is to be used)
Authentication/Security
L2TPv2 Phase I Hubs & Spokes Softwire Solution
• L2TPv2 Hubs & Spokes Softwire framework draft– to be delivered (LC) in July 2006
• Document / recommend / define L2TPv2 Hubs & Spokes Softwire solution implementation specifics
• Examples of topics to be covered by framework draft: (credits to Jean Francois Tremblay, Jordi Palet, Ole Troan for initial list of
topics)– How L2TPv2 satisfies H&S Softwire requirements– Deployment scenarios with L2TPv2 and other components involved in the H&S
solution– Standardization status of L2TPv2 and other components involved in H&S
solution– Provisioning models (Addresses, Prefix Delegation, DNS, etc)– L2TPv2 tunnel setup / maintenance specifics in H&S solution– AAA integration / infrastructure and statistics– Security analysis for L2TPv2 H&S – Implementation Status– others?
IPv6 over IPv4 Softwire with L2TPv2: Case 1 – Host CPE as Softwire Initiator
LNS
/64 prefix
DNS, etcRA
DHCPv4/v6
IPv6CP: capable of /64 interface ID assignment or uniqueness check
IPv4
ISP to Dual AF Host CPEAuto-Config
Dual AF Host CPE
IPv6 o PPP
L2TPv2 o UDP o IPv4
LAC
IPv6 over IPv4 Softwire with L2TPv2: Case 2 – CPE as Softwire Initiator
IPv6 o PPP
LNSLAC
DualAF
CPE
L2TPv2 o UDP o IPv4
/64 prefix
/48 prefixDNS, etc
RA
DHCPv6 PD
IPv6CP: capable of /64 interface ID assignment or uniqueness check
/64 prefixesRA
DNS, etcDHCPv4/v6
IPv4
ISP to Dual AF CPE PD and Auto-Config
Dual AF CPE to HostsAuto-Config
IPv6 over IPv4 Softwire with L2TPv2: Case 3 – Host behind CPE as Softwire Initiator
LNS
CPE
/64 prefix
DNS, etcRA
DHCPv4/v6
IPv6CP: capable of /64 interface ID assignment or uniqueness check
IPv4
ISP to Dual AF Host Auto-Config
Dual AF Host
IPv6 o PPP
L2TPv2 o UDP o IPv4
LAC
IPv6 over IPv4 Softwire with L2TPv2: Case 4 – Router behind CPE as Softwire Initiator
LNS
CPE
/64 prefix
/48 prefixDNS, etc
RA
DHCPv6 PD
IPv6CP: capable of /64 interface ID assignment or uniqueness check
/64 prefixesRA
DNS, etcDHCPv4/v6
IPv4
ISP to Dual AF Router PD and Auto-Config
Dual AF Router to Hosts Auto-Config
LACDual AF Router
IPv6 o PPP
L2TPv2 o UDP o IPv4
IPv4 over IPv6 Softwire with L2TPv2: Case 1 – Host CPE as Softwire Initiator
LNS
Dual AF Host CPE
IPv6
IPCP: assigns global IPv4 address and DNS, etc
ISP to Dual AF Host IP Assignment and Auto-Config
IPv4 o PPP
L2TPv2 o UDP o IPv6
LAC
IPv4 over IPv6 Softwire with L2TPv2: Case 2 – CPE as Softwire Initiator
IPv4 o PPP
LNS
L2TPv2 o UDP o IPv6
IPCP: assigns global IPv4 address and DNS, etcPrivate IPv4 addresses and DNS, etc.
DHCP
IPv6
LAC
DualAF
CPE
ISP to Dual AF CPE IP Assignment and Auto-Config
Dual AF CPE to Hosts IP Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv2: Case 3 – Host behind CPE as Softwire Initiator
LNS
CPE
Dual AF Host
IPv6
IPCP: assigns global IPv4 address and DNS, etc
ISP to Dual AF Host IP Assignment and Auto-Config
IPv4 o PPP
L2TPv2 o UDP o IPv6
LAC
IPv4 over IPv6 Softwire with L2TPv2: Case 4 – Router behind CPE as Softwire Initiator
LNS
CPE
LACDual AF Router
IPv6
IPCP: assigns global IPv4 address and DNS, etcPrivate IPv4 addresses and DNS, etc.
DHCP
ISP to Dual AF Router IP Assignment and Auto-Config
Dual AF Router to Hosts IP Assignment and Auto-Config
IPv4 o PPP
L2TPv2 o UDP o IPv6
IPv6 o L2TPv2 o IPv4 Today
• NTT – http://www.ntt.com/release_e/news05/0011/1121.html–
http://www.networkworld.com/news/2005/122205-ntt-ipv6.html
• Point6– draft-toutain-softwire-point6box-00
• Cisco– http://www.cisco.com/en/US/products/ps6553/product
s_data_sheet09186a008011b68d.html
L2TPv3 proposed as Phase II Hubs & Spokes Softwire Standard
• L2TPv3 is a superset of L2TPv2, with enhancements in security, scalability and flexibility for future extensions
• L2TPv3 RFC3991 automatic fallback to L2TPv2 allows seamless transition from L2TPv2 to L2TPv3 (Backward compatibility is key requirement for Phase II)
• L2TPv3 isn’t as widely implemented as L2TPv2
L2TPv3 for the Future0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
IPv4 or IPv6 Header
Session ID (32 Bits)
Cookie (Up to 64 Bits, Optional)
PayloadPayload
PPPPPP
Frame Frame RelayRelay
EthernetEthernet
ATM (Cell ATM (Cell or Packet)or Packet)
MPLSMPLS
HDLCHDLC
UDP + L2TP Version (Optional)
IPIP
Why move to L2TPv3?• Improvements with L2TPv3:
– Stronger Tunnel Authentication mechanism covering all control messages rather than just portions at tunnel setup
– Built-in lightweight data plane security. Still works with IPsec transport mode, but the built-in cryptographically random cookie gives extra protection against blind insertion attacks
– More efficient header encapsulation• 32-bit flat session ID, more efficient lookup in forwarding plane• Runs over either IP or UDP
– L2TPv3 can tunnel IP directly without PPP• Reduce tunnel/session setup time• Reduce data encap size
Phase II Hubs & Spokes Softwires with L2TPv3
• L2TPv3 Hubs & Spokes Softwire framework draft– Investigation starts in March (in background of Phase I work)– Progress will be presented in post-July 2006 Interim meeting– Framework draft to be delivered (LC) in November 2006
• Document / recommend / define L2TPv3 Hubs & Spokes Softwire solution implementation specifics– PPP over L2TPv3– IP over L2TPv3
• Additional potential items for Phase II:– DHCP Integration (as an AAA mechanism in addition to RADIUS)– Softwire Concentrator Auto Discovery– IP over L2TPv3 solution:
• Investigate solution without PPP– NAT Discovery– Mobility and Nomadicity
To be continued...