1 / 8

Secure Remote Access with L2TP

Secure Remote Access with L2TP . <draft-ietf-pppext-secure-ra-00.txt> Pyda Srisuresh. Enterprise Trust Model. Enterprise Intranet is trusted. Direct-Dial (PSTN) PPP/IP access is an extension of Intranet and is also trusted. Employees (on-site or remote) are trusted.

nelson
Download Presentation

Secure Remote Access with L2TP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Remote Access with L2TP <draft-ietf-pppext-secure-ra-00.txt> Pyda Srisuresh IETF 47 - Pyda Srisuresh

  2. Enterprise Trust Model • Enterprise Intranet is trusted. • Direct-Dial (PSTN) PPP/IP access is an extension of Intranet and is also trusted. • Employees (on-site or remote) are trusted. • L2TP/PPP/IP over a public Internet cannot be trusted because: • LAC & LNS are not in the same administrative domain. • Employee-to-Enterprise IP traffic can be prone to security violation by the Internet or the LAC. IETF 47 - Pyda Srisuresh

  3. Remote Access Server highlights • Provides link-level authentication, authorization and accounting services. • Static/Dynamic IP address assignment to remote user from an enterprise address pool. • Provides host-route connectivity to remote user and monitors link status. • Uses RADIUS to provide the AAA services so it can scale to large no. of remote users. IETF 47 - Pyda Srisuresh

  4. LNS as a NAS • L2TP control messages allow an LNS to be virtually same as a NAS that physically terminates PPP sessions. • L2TP adds tunneling overhead reducing the effective throughput and path MTU size. • Remote user IP packets (embedded in PPP and transported over a public Internet) fail the enterprise trust model. IETF 47 - Pyda Srisuresh

  5. SRAS extensions to LNS • LNS & IPsec Security gateway functions reside on the same SRAS node. • 3 new security parameters configurable on a per-user basis on RADIUS. • End user IP data traffic can be guaranteed to be IPsec secure (user-to-SRAS) in both directions with no additional admin. setups. • IPsec/IKE SA monitoring can be linked to the virtual PPP link staying alive. IETF 47 - Pyda Srisuresh

  6. Proposed RADIUS parameters • IPSEC_MANDATE - Mandate IPsec security on the user-to-SRAS data traffic. • None (=0) - Not required. • LNS_AS_RAS (=1) - Required when terminating on an LNS (i.e., virtual NAS). • SRAS(=2) - Required on any NAS. • SECURITY_PROFILE - An IPsec security profile name containing the following: • Access control security filters • Security preferences for Security Assocations • Secury Key generation source - Manual or IKE • Backup-NAT devices • Management utilities enforcing NAT policies IETF 47 - Pyda Srisuresh

  7. Proposed RADIUS parameters cont. • IKE_NEGOTIATION_PROFILE - An IKE negotiation profile name containing the following: • IKE ID of the user and SRAS • Preferred authentication approach and the associated parameters such as Pre-Shared-Key (or) a pointer to X.509 digital certificate • ISAKMP security negotiation preferences for phase I IETF 47 - Pyda Srisuresh

  8. Limitations to SRAS approach • IPsec Tunneling overhead on top of L2TP tunneling overhead further reduces throughput and effective path MTU size. • Multiple IDentity and authentication requirements on end-user. • Link level authentication is prone to session stealing over the Internet, unless better link authentication schemes are employed. IETF 47 - Pyda Srisuresh

More Related