rfc2888.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

Network Working Group                                       P. Srisuresh
Request for Comments: 2888                         Campio Communications
Category: Informational                                      August 2000


                     Secure Remote Access with L2TP

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   L2TP protocol is a virtual extension of PPP across IP network
   infrastructure. L2TP makes possible for an access concentrator (LAC)
   to be near remote clients, while allowing PPP termination server
   (LNS) to be located in enterprise premises. L2TP allows an enterprise
   to retain control of RADIUS data base, which is used to control
   Authentication, Authorization and Accountability (AAA) of dial-in
   users. The objective of this document is to extend security
   characteristics of IPsec to remote access users, as they dial-in
   through the Internet. This is accomplished without creating new
   protocols and using the existing practices of Remote Access and
   IPsec. Specifically, the document proposes three new RADIUS
   parameters for use by the LNS node, acting as Secure Remote Access
   Server (SRAS) to mandate network level security between remote
   clients and the enterprise. The document also discusses limitations
   of the approach.

1. Introduction and Overview

   Now-a-days, it is common practice for employees to dial-in to their
   enterprise over the PSTN (Public Switched Telephone Network) and
   perform day-to-day operations just as they would if they were in
   corporate premises. This includes people who dial-in from their home
   and road warriors, who cannot be at the corporate premises. As the
   Internet has become ubiquitous, it is appealing to dial-in through
   the Internet to save on phone charges and save the dedicated voice
   lines from being clogged with data traffic.






Srisuresh                    Informational                      [Page 1]

RFC 2888             Secure Remote Access with L2TP          August 2000


   The document suggests an approach by which remote access over the
   Internet could become a reality. The approach is founded on the
   well-known techniques and protocols already in place. Remote Access
   extensions based on L2TP, when combined with the security offered by
   IPSec can make remote access over the Internet a reality. The
   approach does not require inventing new protocol(s).

   The trust model of remote access discussed in this document is viewed
   principally from the perspective of an enterprise into which remote
   access clients dial-in. A remote access client may or may not want to
   enforce end-to-end IPsec from his/her end to the enterprise.
   However, it is in the interest of the enterprise to mandate security
   of every packet that it accepts from the Internet into the
   enterprise.  Independently, remote users may also pursue end-to-end
   IPsec, if they choose to do so. That would be in addition to the
   security requirement imposed by the enterprise edge device.

   Section 2 has reference to the terminology used throughout the
   document. Also mentioned are the limited scope in which some of these
   terms may be used in this document. Section 3 has a brief description
   of what constitutes remote access. Section 4 describes what
   constitutes network security from an enterprise perspective.  Section
   5 describes the model of secure remote access as a viable solution to
   enterprises. The solution presented in section 5 has some
   limitations. These limitations are listed in section 6.  Section 7 is
   devoted to describing new RADIUS attributes that may be configured to
   turn a NAS device into Secure Remote Access Server.

2. Terminology and scope

   Definition of terms used in this document may be found in one of (a)
   L2TP Protocol document [Ref 1], (b) IP security Architecture document
   [Ref 5], or (c) Internet Key Exchange (IKE) document [Ref 8].

   Note, the terms Network Access Server (NAS) and  Remote Access
   Server(RAS) are used interchangeably throughout the document.  While
   PPP may be used to carry a variety of network layer packets, the
   focus of this document is limited to carrying IP datagrams only.

   "Secure Remote Access Server" (SRAS) defined in this document refers
   to a NAS that supports tunnel-mode IPsec with its remote clients.
   Specifically, LNS is the NAS that is referred. Further, involuntary
   tunneling is assumed for L2TP tunnel setup, in that remote clients
   initiating PPP session and the LAC that tunnels the PPP sessions are
   presumed to be distinct physical entities.






Srisuresh                    Informational                      [Page 2]

RFC 2888             Secure Remote Access with L2TP          August 2000


   Lastly, there are a variety of transport mediums by which to tunnel
   PPP packets between a LAC and LNS. Examples include Frame Relay or
   ATM cloud and IP network infrastructure. For simplicity, the document
   assumes a public IP infrastructure as the medium to transport PPP
   packets between LAC and LNS. Security of IP packets (embedded within
   PPP) in a trusted private transport medium is less of a concern for
   the purposes of this document.

3. Remote Access operation

   Remote access is more than mere authentication of remote clients by a
   Network Access Server(NAS). Authentication, Authorization, Accounting
   and routing are integral to remote access. A client must first pass
   the authentication test before being granted link access to the
   network. Network level services (such as IP) are granted based on the
   authorization characteristics specified for the user in RADIUS.
   Network Access Servers use RADIUS to scale for large numbers of users
   supported. NAS also monitors the link status of the remote access
   clients.

   There are a variety of techniques by which remote access users are
   connected to their enterprise and the Internet. At a link level, the
   access techniques include ISDN digital lines, analog plain-old-
   telephone-service lines, xDSL lines, cable and wireless to name a
   few. PPP is the most common Layer-2 (L2)protocol used for carrying
   network layer packets over these remote access links. PPP may be used
   to carry a variety of network layer datagrams including IP, IPX and
   AppleTalk. The focus of this document is however limited to IP
   datagrams only.

   L2TP is a logical extension of PPP over an IP infrastructure. While a
   LAC provides termination of Layer 2 links,  LNS provides the logical
   termination of PPP. As a result, LNS becomes the focal point for (a)
   performing the AAA operations for the remote users, (b) assigning IP
   address and monitoring the logical link status (i.e., the status of
   LAC-to-LNS tunnel and the link between remote user and LAC), and (c)
   maintaining host-route to remote user network and providing routing
   infrastructure into the enterprise.

   L2TP uses control messages to establish, terminate and monitor the
   status of the logical PPP sessions (from remote user to LNS). These
   are independent of the data messages. L2TP data messages contain an
   L2TP header, followed by PPP packets. The L2TP header identifies the
   PPP session (amongst other things) to which the PPP packet belongs.
   The IP packets exchanged from/to the remote user are carried within
   the PPP packets.  The L2TP data messages, carrying end-to-end IP
   packets in an IP transport medium may be described as follows. The
   exact details of L2TP protocol may be found in [Ref 1].



Srisuresh                    Informational                      [Page 3]

RFC 2888             Secure Remote Access with L2TP          August 2000


      +----------------------+
      | IP Header            |
      | (LAC <->LNS)         |
      +----------------------+
      | UDP Header           |
      +----------------------+
      | L2TP Header          |
      | (incl. PPP Sess-ID)  |
      +----------------------+
      | PPP Header           |
      | (Remote User<->LNS)  |
      +----------------------+
      | End-to-end IP packet |
      | (to/from Remote User)|
      +----------------------+

4. Requirements of an enterprise Security Gateway

   Today's enterprises are aware of the various benefits of connecting
   to the Internet. Internet is a vast source of Information and a means
   to disseminate information and make available certain resources to
   the external world. However, enterprises are also aware that security
   breaches (by being connected to the Internet) can severely jeopardize
   internal network.

   As a result, most enterprises restrict access to a pre-defined set of
   resources for external users. Typically, enterprises employ a
   firewall to restrict access to internal resources and place
   externally accessible servers in the DeMilitarized Zone (DMZ), in
   front of the firewall, as described below in Figure 1.





















Srisuresh                    Informational                      [Page 4]

RFC 2888             Secure Remote Access with L2TP          August 2000


                        ----------------
                       (                )
                      (                  )
                     (      Internet      )
                      (                  )
                       (_______________ )

                       WAN  |
                 .........|\|....
                          |
                +-----------------+
                |Enterprise Router|
                +-----------------+
                    |
                    |   DMZ - Network
               ---------------------------------
                |            |                |
               +--+         +--+         +----------+
               |__|         |__|         | Firewall |
              /____\       /____\        +----------+
              DMZ-Name     DMZ-Web  ...    |
              Server       Server          |
                                           |
                                ------------------
                               (                  )
                              (  Internal Network  )
                             (   (private to the    )
                              (   enterprise)      )
                               (_________________ )

         Figure 1: Security model of an Enterprise using Firewall

   Network Access Servers used to allow direct dial-in access (through
   the PSTN) to employees are placed within the private enterprise
   network so as to avoid access restrictions imposed by a firewall.

   With the above model, private resources of an enterprise are
   restricted for access from the Internet. Firewall may be configured
   to occasionally permit access to a certain resource or service but is
   not recommended on an operational basis as that could constitute a
   security threat to the enterprise. It is of interest to note that
   even when the firewall is configured to permit access to internal
   resources from pre-defined external node(s), many internal servers,
   such as NFS, enforce address based authentication and do not co-
   operate when the IP address of the external node is not in corporate
   IP address domain. In other words, with the above security model, it





Srisuresh                    Informational                      [Page 5]

RFC 2888             Secure Remote Access with L2TP          August 2000


   becomes very difficult to allow employees to access corporate
   resources, via the Internet, even if you are willing to forego
   security over the Internet.

   With the advent of IPsec, it is possible to secure corporate data
   across the Internet by employing a Security Gateway within the
   enterprise. Firewall may be configured to allow IKE and IPsec packets
   directed to a specific  Security Gateway behind the firewall. It then
   becomes the responsibility of the Security Gateway to employ the
   right access list for external connections seeking entry into the
   enterprise. Essentially, the access control functionality for IPsec
   secure packets would be shifted to the Security Gateway (while the
   access control for clear packets is retained with the firewall). The
   following figure illustrates the model where a combination of
   Firewall and Security Gateway control access to internal resources.




































Srisuresh                    Informational                      [Page 6]

RFC 2888             Secure Remote Access with L2TP          August 2000


                        ------------
                       (            )
                      (              )
                     (    Internet    )
                      (              )
                       (___________ )

                       WAN  |
                 .........|\|....
                          |
                +-----------------+
                |Enterprise Router|
                +-----------------+
                    |