Why L2TP?

From a business perspective a virtual private network is one where all data paths are secret to a certain extent, yet open to a limited group of persons, for example, to employees of a specific company. The simplest and most general deployments create such a network by isolating a network from the Internet.

From the perspective of a typical remote user working from home or away on a business trip, a VPN is a point-to-point connection within the organization's server, which logically operates to some extent as a leased line or provides support for dial-in VPN connectivity to dynamically set up a secure remote connection with their company's Intranet.

Conceptually, a VPN is analogous to a point-to-point link. In VPN networks the point-to-point connections are emulated using data encapsulation and tunneling techniques i.e. the data is wrapped with a header that provides necessary routing information. In order to enhance data confidence and integrity, packets being sent may be encrypted prior to entering the tunnel and even if intercepted (which is not difficult as they are sent over a public network), they will remain indecipherable without encryption keys

However in the case of a business with some small remote branches it is not so simple. Leased lines could be a solution, but a costly one, which would not necessarily ensure the required degree of security. Leased lines do not scale, especially when there is a need to give access to a part of the resources of a private network to external users, and would not be possible over a physically separated network. An alternative solution might be to employ a remote server. However it would involve additional fees for phone sessions that may also be long distance. What is required is a mechanism to transfer data over a public network using a tunneling mechanism so that all data can be encrypted and transmitted securely. L2TP provides a ideal choice for such an application. Typically two commonly used and widely recognized protocols are PPTP and L2TP, which are both l2 tunneling protocols.

L2TP:

L2TP protocol as documented in RFC 2661, is a combination of Cisco's Layer 2 Forwarding and PPTP using the best of both. L2TP operates in Layer 2 (OSI) tunneling protocol and encapsulates PPP frames to send them between the server and the client. Moreover L2TP is more flexible than PPTP in that it has been designed to operate directly with various non-IP WAN technologies unlike PPTP which requires an IP based network transport layer. Like PPTP, L2TP encapsulates original IP data grams over the network. Encryption for L2TP is provided with IPSec, encapsulation is divided into two layers - the initial L2TP encapsulation and the IPSec encapsulation. The process is as follows:

There are two key aspects of any VPN, which need to be addressed. a) Authentication, b) Encryption.

Authentication - Authentication takes place at two levels:

User-level authentication -The user must be authenticated when he sends his data over the L2TP tunnel. This is done through the use of a PPP authentication method.

Machine-level authentication - machine-level authentication is performed by IPSEC through the exchange of certificates or Pre-Shared keys during the establishment of the IPSec connection.

Data encryption - the protocols used to create VPN connections allow encrypted data to be sent over a network. Although it is possible to have a non-encrypted connection, this is not recommended. Note that data encryption for VPN connections do not provide end-to-end security (encryption), but only security between the client and the VPN server. In order to provide a secure end-to-end connection, the IPSec protocol can be used once a VPN connection has been established.

L2TP encapsulated payload is IPSec i.e. it is added with an IPSec Encapsulating Security Payload (ESP) and an IPSec Authentication trailer (AUTH). In this way, integrity and authentication of messages are provided en route. At this stage, tunneled messages are not yet encrypted. IPSec ESP is the mechanism to provide encryption keys to L2TP data. It is possible to have a non-encrypted L2TP connection where the PPP frame is sent in plaintext. However, such an insecure solution is absurd and is definitely not recommended.

Benefits of L2TP:

L2TP only requires that the media provide point-to-point connectivity as against PPTP, which requires an IP based network transport layer but cannot support non-IP media directly. This makes L2TP more flexible as it can be used directly over IP Frame Relay, X.25 and ATM.

Moreover with L2TP, multiple tunnels can be supported to transport payloads end-to-end. Therefore, multi-tunnel operations are possible with L2TP corresponding to various levels of the Quality of Service (QoS) and security.

Also, L2TP protocol provides header compression mechanisms. When this function is enabled, the L2TP header is smaller than the PPTP header, and will result in fewer simultaneous RTP sessions being required to produce bandwidth efficiencies.

IPSec exists as the Layer 3 (OSI) data-tunneling model that uses a specific mode - the ESP Tunnel mode that offers strong IP data gram encapsulation and encryption being sent over a public IP network. With this mode, whole IP data grams are encapsulated and encrypted using ESP. The IP data gram is finally encapsulated with a new IP header and the new data gram obtained is sent over a network. Upon receipt of the L2TP diagram, the recipient processes the data-link frame to authenticate the content and sends the data to the destination site.

- Badri Narayanan