📄 rfc2888.txt
字号:
Network Working Group P. Srisuresh
Request for Comments: 2888 Campio Communications
Category: Informational August 2000
Secure Remote Access with L2TP
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
Abstract
L2TP protocol is a virtual extension of PPP across IP network
infrastructure. L2TP makes possible for an access concentrator (LAC)
to be near remote clients, while allowing PPP termination server
(LNS) to be located in enterprise premises. L2TP allows an enterprise
to retain control of RADIUS data base, which is used to control
Authentication, Authorization and Accountability (AAA) of dial-in
users. The objective of this document is to extend security
characteristics of IPsec to remote access users, as they dial-in
through the Internet. This is accomplished without creating new
protocols and using the existing practices of Remote Access and
IPsec. Specifically, the document proposes three new RADIUS
parameters for use by the LNS node, acting as Secure Remote Access
Server (SRAS) to mandate network level security between remote
clients and the enterprise. The document also discusses limitations
of the approach.
1. Introduction and Overview
Now-a-days, it is common practice for employees to dial-in to their
enterprise over the PSTN (Public Switched Telephone Network) and
perform day-to-day operations just as they would if they were in
corporate premises. This includes people who dial-in from their home
and road warriors, who cannot be at the corporate premises. As the
Internet has become ubiquitous, it is appealing to dial-in through
the Internet to save on phone charges and save the dedicated voice
lines from being clogged with data traffic.
Srisuresh Informational [Page 1]
RFC 2888 Secure Remote Access with L2TP August 2000
The document suggests an approach by which remote access over the
Internet could become a reality. The approach is founded on the
well-known techniques and protocols already in place. Remote Access
extensions based on L2TP, when combined with the security offered by
IPSec can make remote access over the Internet a reality. The
approach does not require inventing new protocol(s).
The trust model of remote access discussed in this document is viewed
principally from the perspective of an enterprise into which remote
access clients dial-in. A remote access client may or may not want to
enforce end-to-end IPsec from his/her end to the enterprise.
However, it is in the interest of the enterprise to mandate security
of every packet that it accepts from the Internet into the
enterprise. Independently, remote users may also pursue end-to-end
IPsec, if they choose to do so. That would be in addition to the
security requirement imposed by the enterprise edge device.
Section 2 has reference to the terminology used throughout the
document. Also mentioned are the limited scope in which some of these
terms may be used in this document. Section 3 has a brief description
of what constitutes remote access. Section 4 describes what
constitutes network security from an enterprise perspective. Section
5 describes the model of secure remote access as a viable solution to
enterprises. The solution presented in section 5 has some
limitations. These limitations are listed in section 6. Section 7 is
devoted to describing new RADIUS attributes that may be configured to
turn a NAS device into Secure Remote Access Server.
2. Terminology and scope
Definition of terms used in this document may be found in one of (a)
L2TP Protocol document [Ref 1], (b) IP security Architecture document
[Ref 5], or (c) Internet Key Exchange (IKE) document [Ref 8].
Note, the terms Network Access Server (NAS) and Remote Access
Server(RAS) are used interchangeably throughout the document. While
PPP may be used to carry a variety of network layer packets, the
focus of this document is limited to carrying IP datagrams only.
"Secure Remote Access Server" (SRAS) defined in this document refers
to a NAS that supports tunnel-mode IPsec with its remote clients.
Specifically, LNS is the NAS that is referred. Further, involuntary
tunneling is assumed for L2TP tunnel setup, in that remote clients
initiating PPP session and the LAC that tunnels the PPP sessions are
presumed to be distinct physical entities.
Srisuresh Informational [Page 2]
RFC 2888 Secure Remote Access with L2TP August 2000
Lastly, there are a variety of transport mediums by which to tunnel
PPP packets between a LAC and LNS. Examples include Frame Relay or
ATM cloud and IP network infrastructure. For simplicity, the document
assumes a public IP infrastructure as the medium to transport PPP
packets between LAC and LNS. Security of IP packets (embedded within
PPP) in a trusted private transport medium is less of a concern for
the purposes of this document.
3. Remote Access operation
Remote access is more than mere authentication of remote clients by a
Network Access Server(NAS). Authentication, Authorization, Accounting
and routing are integral to remote access. A client must first pass
the authentication test before being granted link access to the
network. Network level services (such as IP) are granted based on the
authorization characteristics specified for the user in RADIUS.
Network Access Servers use RADIUS to scale for large numbers of users
supported. NAS also monitors the link status of the remote access
clients.
There are a variety of techniques by which remote access users are
connected to their enterprise and the Internet. At a link level, the
access techniques include ISDN digital lines, analog plain-old-
telephone-service lines, xDSL lines, cable and wireless to name a
few. PPP is the most common Layer-2 (L2)protocol used for carrying
network layer packets over these remote access links. PPP may be used
to carry a variety of network layer datagrams including IP, IPX and
AppleTalk. The focus of this document is however limited to IP
datagrams only.
L2TP is a logical extension of PPP over an IP infrastructure. While a
LAC provides termination of Layer 2 links, LNS provides the logical
termination of PPP. As a result, LNS becomes the focal point for (a)
performing the AAA operations for the remote users, (b) assigning IP
address and monitoring the logical link status (i.e., the status of
LAC-to-LNS tunnel and the link between remote user and LAC), and (c)
maintaining host-route to remote user network and providing routing
infrastructure into the enterprise.
L2TP uses control messages to establish, terminate and monitor the
status of the logical PPP sessions (from remote user to LNS). These
are independent of the data messages. L2TP data messages contain an
L2TP header, followed by PPP packets. The L2TP header identifies the
PPP session (amongst other things) to which the PPP packet belongs.
The IP packets exchanged from/to the remote user are carried within
the PPP packets. The L2TP data messages, carrying end-to-end IP
packets in an IP transport medium may be described as follows. The
exact details of L2TP protocol may be found in [Ref 1].
Srisuresh Informational [Page 3]
RFC 2888 Secure Remote Access with L2TP August 2000
+----------------------+
| IP Header |
| (LAC <->LNS) |
+----------------------+
| UDP Header |
+----------------------+
| L2TP Header |
| (incl. PPP Sess-ID) |
+----------------------+
| PPP Header |
| (Remote User<->LNS) |
+----------------------+
| End-to-end IP packet |
| (to/from Remote User)|
+----------------------+
4. Requirements of an enterprise Security Gateway
Today's enterprises are aware of the various benefits of connecting
to the Internet. Internet is a vast source of Information and a means
to disseminate information and make available certain resources to
the external world. However, enterprises are also aware that security
breaches (by being connected to the Internet) can severely jeopardize
internal network.
As a result, most enterprises restrict access to a pre-defined set of
resources for external users. Typically, enterprises employ a
firewall to restrict access to internal resources and place
externally accessible servers in the DeMilitarized Zone (DMZ), in
front of the firewall, as described below in Figure 1.
Srisuresh Informational [Page 4]
RFC 2888 Secure Remote Access with L2TP August 2000
----------------
( )
( )
( Internet )
( )
(_______________ )
WAN |
.........|\|....
|
+-----------------+
|Enterprise Router|
+-----------------+
|
| DMZ - Network
---------------------------------
| | |
+--+ +--+ +----------+
|__| |__| | Firewall |
/____\ /____\ +----------+
DMZ-Name DMZ-Web ... |
Server Server |
|
------------------
( )
( Internal Network )
( (private to the )
( enterprise) )
(_________________ )
Figure 1: Security model of an Enterprise using Firewall
Network Access Servers used to allow direct dial-in access (through
the PSTN) to employees are placed within the private enterprise
network so as to avoid access restrictions imposed by a firewall.
With the above model, private resources of an enterprise are
restricted for access from the Internet. Firewall may be configured
to occasionally permit access to a certain resource or service but is
not recommended on an operational basis as that could constitute a
security threat to the enterprise. It is of interest to note that
even when the firewall is configured to permit access to internal
resources from pre-defined external node(s), many internal servers,
such as NFS, enforce address based authentication and do not co-
operate when the IP address of the external node is not in corporate
IP address domain. In other words, with the above security model, it
Srisuresh Informational [Page 5]
RFC 2888 Secure Remote Access with L2TP August 2000
becomes very difficult to allow employees to access corporate
resources, via the Internet, even if you are willing to forego
security over the Internet.
With the advent of IPsec, it is possible to secure corporate data
across the Internet by employing a Security Gateway within the
enterprise. Firewall may be configured to allow IKE and IPsec packets
directed to a specific Security Gateway behind the firewall. It then
becomes the responsibility of the Security Gateway to employ the
right access list for external connections seeking entry into the
enterprise. Essentially, the access control functionality for IPsec
secure packets would be shifted to the Security Gateway (while the
access control for clear packets is retained with the firewall). The
following figure illustrates the model where a combination of
Firewall and Security Gateway control access to internal resources.
Srisuresh Informational [Page 6]
RFC 2888 Secure Remote Access with L2TP August 2000
------------
( )
( )
( Internet )
( )
(___________ )
WAN |
.........|\|....
|
+-----------------+
|Enterprise Router|
+-----------------+
|
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -