Secure Remote Access with L2TP
RFC 2888

Document Type RFC - Informational (August 2000; No errata)
Was draft-srisuresh-secure-ra (individual)
Last updated 2013-03-02
Stream Legacy
Formats plain text html pdf htmlized bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 2888 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                       P. Srisuresh
Request for Comments: 2888                         Campio Communications
Category: Informational                                      August 2000

                     Secure Remote Access with L2TP

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

Abstract

   L2TP protocol is a virtual extension of PPP across IP network
   infrastructure. L2TP makes possible for an access concentrator (LAC)
   to be near remote clients, while allowing PPP termination server
   (LNS) to be located in enterprise premises. L2TP allows an enterprise
   to retain control of RADIUS data base, which is used to control
   Authentication, Authorization and Accountability (AAA) of dial-in
   users. The objective of this document is to extend security
   characteristics of IPsec to remote access users, as they dial-in
   through the Internet. This is accomplished without creating new
   protocols and using the existing practices of Remote Access and
   IPsec. Specifically, the document proposes three new RADIUS
   parameters for use by the LNS node, acting as Secure Remote Access
   Server (SRAS) to mandate network level security between remote
   clients and the enterprise. The document also discusses limitations
   of the approach.

1. Introduction and Overview

   Now-a-days, it is common practice for employees to dial-in to their
   enterprise over the PSTN (Public Switched Telephone Network) and
   perform day-to-day operations just as they would if they were in
   corporate premises. This includes people who dial-in from their home
   and road warriors, who cannot be at the corporate premises. As the
   Internet has become ubiquitous, it is appealing to dial-in through
   the Internet to save on phone charges and save the dedicated voice
   lines from being clogged with data traffic.

Srisuresh                    Informational                      [Page 1]
RFC 2888             Secure Remote Access with L2TP          August 2000

   The document suggests an approach by which remote access over the
   Internet could become a reality. The approach is founded on the
   well-known techniques and protocols already in place. Remote Access
   extensions based on L2TP, when combined with the security offered by
   IPSec can make remote access over the Internet a reality. The
   approach does not require inventing new protocol(s).

   The trust model of remote access discussed in this document is viewed
   principally from the perspective of an enterprise into which remote
   access clients dial-in. A remote access client may or may not want to
   enforce end-to-end IPsec from his/her end to the enterprise.
   However, it is in the interest of the enterprise to mandate security
   of every packet that it accepts from the Internet into the
   enterprise.  Independently, remote users may also pursue end-to-end
   IPsec, if they choose to do so. That would be in addition to the
   security requirement imposed by the enterprise edge device.

   Section 2 has reference to the terminology used throughout the
   document. Also mentioned are the limited scope in which some of these
   terms may be used in this document. Section 3 has a brief description
   of what constitutes remote access. Section 4 describes what
   constitutes network security from an enterprise perspective.  Section
   5 describes the model of secure remote access as a viable solution to
   enterprises. The solution presented in section 5 has some
   limitations. These limitations are listed in section 6.  Section 7 is
   devoted to describing new RADIUS attributes that may be configured to
   turn a NAS device into Secure Remote Access Server.

2. Terminology and scope

   Definition of terms used in this document may be found in one of (a)
   L2TP Protocol document [Ref 1], (b) IP security Architecture document
   [Ref 5], or (c) Internet Key Exchange (IKE) document [Ref 8].

   Note, the terms Network Access Server (NAS) and  Remote Access
   Server(RAS) are used interchangeably throughout the document.  While
   PPP may be used to carry a variety of network layer packets, the
   focus of this document is limited to carrying IP datagrams only.

   "Secure Remote Access Server" (SRAS) defined in this document refers
   to a NAS that supports tunnel-mode IPsec with its remote clients.
   Specifically, LNS is the NAS that is referred. Further, involuntary
   tunneling is assumed for L2TP tunnel setup, in that remote clients
   initiating PPP session and the LAC that tunnels the PPP sessions are
   presumed to be distinct physical entities.

Srisuresh                    Informational                      [Page 2]
RFC 2888             Secure Remote Access with L2TP          August 2000
Show full document text