230 likes | 366 Views
Softwires L2TPv2 Hubs & Spokes for Phase I. Maria Alice Dos Santos, Cisco Jean Francois Tremblay, Hexago Bill Storer, Cisco Jordi Palet, Consulintel Carl Williams, KDDI and others 65th IETF - Dallas, TX, USA. L2TPv2 VS TSP.
E N D
SoftwiresL2TPv2 Hubs & Spokes for Phase I Maria Alice Dos Santos, Cisco Jean Francois Tremblay, Hexago Bill Storer, Cisco Jordi Palet, Consulintel Carl Williams, KDDI and others 65th IETF - Dallas, TX, USA
L2TPv2 VS TSP At Softwires interim meeting in Hong Kong, multiple protocols (ATS6, TSP, L2TPv2) have been proposed as the Phase I Hubs & Spokes Softwire solution At interim meeting, non-technical requirement evaluation for the proposed protocols was conducted: The two leading protocols are L2TPv2 and TSP L2TPv2 average score is 97 (rounded) TSP average score is 86 (rounded) Technical comparison between L2TPv2 and TSP has been conducted and discussed on mailing list WG selected L2TPv2 as the Phase I Hubs & Spokes solution based on the comparison results of the following categories
Standardization Status L2TPv2 (RFC2661) has been standardized since 1999 • RFC 2661 - Layer Two Tunneling Protocol (PS) • RFC 2867 - RADIUS Accounting Modifications for Tunnel Protocol Support (Inf.) • RFC 3371 - Layer Two Tunneling Protocol "L2TP" Management Information Base (PS) • RFC 3193 - Securing L2TP using IPsec (PS) • RFC 3948 - UDP Encapsulation of IPsec ESP Packet (PS) • RFC 3145 - L2TP Disconnect Cause Information (PS) • RFC 3308 - Layer Two Tunneling Protocol Differentiated Services Extension (PS) TSP has been sent to the RFC editor as individual submission • draft-vg-ngtrans-tsp-00.txt submitted in 2001 • draft-blanchet-v6ops-tunnelbroker-tsp-03.txt
Interoperability L2TPv2 protocol has been proven by numerous independent / interoperable implementations One TSP server implementation exists while TSP client has been implemented by multiple entities:
Scalability L2TPv2 scalability has been proven in large scale commercial VPN deployments: • L2TPv2 is proven to be scalable to the millions of subscribers in multiple IPv4 o IPv4 VPN deployments • Upper Tens of thousands of concurrent L2TPv2 sessions on a single node (or "LNS") • Call setup rates in the hundreds per second TSP scalability has yet to be demonstrated in multiple-server commercial settings: • Freenet6 has 10,000 tunnels now on single server • Have tested 50,000 tunnels on one broker
Deployment Experience L2TPv2 Deployment Experience • L2TPv2 is widely used in large scale IPv4 o IPv4 VPN commercial deployments , with AAA, Accounting and MIB well integrated in the solutions • Cases in point being NTT, BT, AOL (Millions tunnels each) • L2TPv2 is used in IPv6 o IPv4 deployments: • Point6 • NTT commercial IPv6 tunnel service TSP deployment Experience: • Freenet6 TSP commercial IPv6 over IPv4 deployment since 2003 (10K tunnels) • KDDI TSP trial IPv4 over IPv6 deployment (1000 tunnels) • AT&T and Wanadoo trials, no numbers. • NTT and DoD have on-going trials
L2TPv2 Phase I Hubs & Spokes Softwire Solution • L2TPv2 Hubs & Spokes Softwire framework draft • to be delivered (LC) in July 2006 • Document / recommend / define L2TPv2 Hubs & Spokes Softwire solution implementation specifics • Examples of topics to be covered by framework draft: (credits to Jean Francois Tremblay, Jordi Palet, Ole Troan for initial list of topics) • How L2TPv2 satisfies H&S Softwire requirements • Deployment scenarios with L2TPv2 and other components involved in the H&S solution • Standardization status of L2TPv2 and other components involved in H&S solution • Provisioning models (Addresses, Prefix Delegation, DNS, etc) • L2TPv2 tunnel setup / maintenance specifics in H&S solution • AAA integration / infrastructure and statistics • Security analysis for L2TPv2 H&S • Implementation Status • others?
IPv6 over IPv4 Softwire with L2TPv2:Case 1 – Host CPE as Softwire Initiator LNS LAC IPv4 Dual AF Host CPE IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA DNS, etc DHCPv4/v6 ISP to Dual AF Host CPE Auto-Config
IPv6 over IPv4 Softwire with L2TPv2:Case 2 – CPE as Softwire Initiator LNS LAC Dual AF CPE IPv4 IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA /48 prefix DNS, etc /64 prefixes DHCPv6 PD RA DNS, etc DHCPv4/v6 ISP to Dual AF CPE PD and Auto-Config Dual AF CPE to Hosts Auto-Config
IPv6 over IPv4 Softwire with L2TPv2:Case 3 – Host behind CPE as Softwire Initiator LNS IPv4 CPE LAC Dual AF Host IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA DNS, etc DHCPv4/v6 ISP to Dual AF Host Auto-Config
IPv6 over IPv4 Softwire with L2TPv2:Case 4 – Router behind CPE as Softwire Initiator LNS IPv4 CPE LAC Dual AF Router IPv6 o PPP L2TPv2 o UDP o IPv4 IPv6CP: capable of /64 interface ID assignment or uniqueness check /64 prefix RA /48 prefix DNS, etc /64 prefixes RA DHCPv6 PD DNS, etc DHCPv4/v6 ISP to Dual AF Router PD and Auto-Config Dual AF Router to Hosts Auto-Config
IPv4 over IPv6 Softwire with L2TPv2:Case 1 – Host CPE as Softwire Initiator LNS LAC IPv6 Dual AF Host CPE IPv4 o PPP L2TPv2 o UDP o IPv6 IPCP: assigns global IPv4 address and DNS, etc ISP to Dual AF Host IP Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv2:Case 2 – CPE as Softwire Initiator LNS LAC Dual AF CPE IPv6 IPv4 o PPP L2TPv2 o UDP o IPv6 Private IPv4 addresses and DNS, etc. DHCP IPCP: assigns global IPv4 address and DNS, etc ISP to Dual AF CPE IP Assignment and Auto-Config Dual AF CPE to Hosts IP Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv2:Case 3 – Host behind CPE as Softwire Initiator LNS IPv6 CPE LAC Dual AF Host IPv4 o PPP L2TPv2 o UDP o IPv6 IPCP: assigns global IPv4 address and DNS, etc ISP to Dual AF Host IP Assignment and Auto-Config
IPv4 over IPv6 Softwire with L2TPv2:Case 4 – Router behind CPE as Softwire Initiator LNS IPv6 CPE LAC Dual AF Router IPv4 o PPP L2TPv2 o UDP o IPv6 Private IPv4 addresses and DNS, etc. DHCP IPCP: assigns global IPv4 address and DNS, etc ISP to Dual AF Router IP Assignment and Auto-Config Dual AF Router to Hosts IP Assignment and Auto-Config
IPv6 o L2TPv2 o IPv4 Today • NTT • http://www.ntt.com/release_e/news05/0011/1121.html • http://www.networkworld.com/news/2005/122205-ntt-ipv6.html • Point6 • draft-toutain-softwire-point6box-00 • Cisco • http://www.cisco.com/en/US/products/ps6553/products_data_sheet09186a008011b68d.html
L2TPv3 proposed as Phase II Hubs & Spokes Softwire Standard • L2TPv3 is a superset of L2TPv2, with enhancements in security, scalability and flexibility for future extensions • L2TPv3 RFC3991 automatic fallback to L2TPv2 allows seamless transition from L2TPv2 to L2TPv3 (Backward compatibility is key requirement for Phase II) • L2TPv3 isn’t as widely implemented as L2TPv2
Why move to L2TPv3? • Improvements with L2TPv3: • Stronger Tunnel Authentication mechanism covering all control messages rather than just portions at tunnel setup • Built-in lightweight data plane security. Still works with IPsec transport mode, but the built-in cryptographically random cookie gives extra protection against blind insertion attacks • More efficient header encapsulation • 32-bit flat session ID, more efficient lookup in forwarding plane • Runs over either IP or UDP • L2TPv3 can tunnel IP directly without PPP • Reduce tunnel/session setup time • Reduce data encap size
Phase II Hubs & Spokes Softwires with L2TPv3 • L2TPv3 Hubs & Spokes Softwire framework draft • Investigation starts in March (in background of Phase I work) • Progress will be presented in post-July 2006 Interim meeting • Framework draft to be delivered (LC) in November 2006 • Document / recommend / define L2TPv3 Hubs & Spokes Softwire solution implementation specifics • PPP over L2TPv3 • IP over L2TPv3 • Additional potential items for Phase II: • DHCP Integration (as an AAA mechanism in addition to RADIUS) • Softwire Concentrator Auto Discovery • IP over L2TPv3 solution: • Investigate solution without PPP • NAT Discovery • Mobility and Nomadicity