ESTRATEGIA DIDÁCTICA COMO ACTIVIDAD PERMANENTE

Early in the evolution of communications, PPP was used to directly connect two systems to allow the flow of data. The protocol is designed for simple links that transport packets between two peers and are assumed to be delivered in the condition they were sent and in the proper sequence. PPP is not resistant to packet loss or line errors and does not handle inaccuracies efficiently. Frames that are passed along the connection provide for network layer protocols to operate. PPP has been used in many dial-up solutions and is typically used by ISPs to provide connectivity to the Internet. The problem with PPP is that the two systems must have a dedicated medium; a telephone line is an example that provides a direct serial link. Therefore, the PPP endpoint, the logical point of protocol establishment, was also the physical medium endpoint. An example is two modems connected by a phone line. The modem performs the same functions as a phone, provides PPP encapsulation, the endpoints of the communication, and the physical aspects are the same.

Layer 2 Tunneling Protocol (L2TP) was invented to eliminate the association of the communication technology — a phone line — with the communication topology — PPP encapsulation. L2TP allows the two to be on different systems connected by a packet-switched network, such as the Internet. Before L2TP, a roaming user would dial a number to a modem at the home office to establish a PPP session to provide protocol connectivity, such as IPX/SPX, to a Novell server. With the use of L2TP, that same user can dial a local service that encapsulates the PPP frame in a TCP/IP packet that gets forwarded over an IP network to the home office access device. The PPP session is terminated at the home office, and the IPX/SPX protocol session will operate as if connected by the original method.

The network layer is used to virtually connect two physical systems. In normal operations, the link layer PPP frame would have to be created and terminated in a point-to-point configuration. L2TP eliminates this requirement and encapsulates the original PPP frame in a TCP/IP network layer packet. For example, a roaming user dials into the home office remote access server’s modem. The modems use PPP encapsulation for link layer operations and rightfully so, because each system provides the termination. The phone company provides the physical layer and the remaining

40 A Technical Guide to IPSec Virtual Private Networks

upper layers are encapsulated in PPP frames. If the roaming user were to travel to a remote location and call the home office’s RAS system, the cost could be overwhelming. If the roaming user dials an ISP, the connection still will not work. The PPP session to the ISP is terminated at the ISP and the network layer is used for communication throughout the Internet using an IP address assigned by the ISP, which is not valid for communications on the home office network that uses IPX/SPX. Ideally, the roaming user can call a local number that provides access to the home office.

In L2TP, there are two primary systems within the communication. The L2TP Access Concentrator (LAC) acts as an L2TP peer and provides PPP connectivity. The second participant is the L2TP Network Server (LNS), which provides the logical termination point for the PPP session and is the L2TP endpoint.

The LAC can operate in two modes: remote and local. As detailed in Exhibit 2-16, in a remote configuration, a client uses the phone system to dial an LAC and establish a PPP session. Through various authentication methods, either by the phone number used or simple authentication, the provider determines that that the client wishes to connect to the home office, which houses an LNS.

The LAC then encapsulates the PPP frames into IP packets and forwards them across an IP network to the corporate LNS. It is important to know that the IP network can be a Frame Relay cloud, ATM, wireless, Internet, or any IP-based network. The LNS acts as the new termination point for the PPP frames, allowing the remote client to interact with the LNS directly within Layer 2. The LNS de-encapsulates the PPP frames from the IP packet, and then simply operates as if the remote system had dialed directly into the home office. The PPP frames are processed and the IPX/SPX is injected into the network and operates as if the client were directly connected. In a local design, the LAC is a service or client package loaded on the laptop that encapsulates the PPP frames into IP packets prior to sending them across the Internet. Exhibit 2-17 reveals that in this case, the client establishes an IP session with an ISP, encapsulates the PPP frames in an IP packet with the source being the address assigned by the ISP and the destination is the Internet IP address of the home office’s LNS. The LNS acts as the PPP termination point, allowing the communication to operate as if the user had dialed directly into the network.

Understanding the original goals for which L2TP was designed, it is easy to see how the encapsulation of information can be applied to many scenarios and not just PPP. L2TP can be used to transport Layer 3 protocols only over networks that the originating Exhibit 2-16. L2TP connection where the LAC is provided as a remote service by a provider.

Technical Primer 41

technology could not communicate over under normal conditions. Simply forego the Layer 2 data, such as PPP, and encapsulate the protocol and forward it as normal.

However, there is one major aspect that is absent from the preceding description: security. L2TP provides no security services, and any communication that leverages L2TP over a public network is open to various forms of attack, not the least of which is a lack of confidentiality resulting in no privacy.