Securing L2TP using IPsec
RFC 3193
Document Type RFC - Proposed Standard (November 2001; No errata)
Authors Skip Booth  , Glen Zorn  , Baiju Patel  , Bernard Aboba  , William Dixon 
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3193 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Email authors Email WG IPR 1 References Referenced by Nits 
Network Working Group                                           B. Patel
Request for Comments: 3193                                         Intel
Category: Standards Track                                       B. Aboba
                                                                W. Dixon
                                                               Microsoft
                                                                 G. Zorn
                                                                S. Booth
                                                           Cisco Systems
                                                           November 2001

                       Securing L2TP using IPsec

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   This document discusses how L2TP (Layer Two Tunneling Protocol) may
   utilize IPsec to provide for tunnel authentication, privacy
   protection, integrity checking and replay protection. Both the
   voluntary and compulsory tunneling cases are discussed.

Patel, et al.               Standards Track                     [Page 1]
RFC 3193               Securing L2TP using IPsec           November 2001

Table of Contents

   1. Introduction ..................................................  2
   1.1 Terminology ..................................................  3
   1.2 Requirements language ........................................  3
   2. L2TP security requirements  ...................................  4
   2.1 L2TP security protocol .......................................  5
   2.2 Stateless compression and encryption .........................  5
   3. L2TP/IPsec inter-operability guidelines .......................  6
   3.1. L2TP tunnel and Phase 1 and 2 SA teardown ...................  6
   3.2. Fragmentation Issues ........................................  6
   3.3. Per-packet security checks ..................................  7
   4. IPsec Filtering details when protecting L2TP ..................  7
   4.1. IKE Phase 1 Negotiations ....................................  8
   4.2. IKE Phase 2 Negotiations ....................................  8
   5. Security Considerations ....................................... 15
   5.1 Authentication issues ........................................ 15
   5.2 IPsec and PPP interactions ................................... 18
   6. References .................................................... 21
   Acknowledgments .................................................. 22
   Authors' Addresses ............................................... 23
   Appendix A: Example IPsec Filter sets ............................ 24
   Intellectual Property Statement .................................. 27
   Full Copyright Statement ......................................... 28

1.  Introduction

   L2TP [1] is a protocol that tunnels PPP traffic over variety of
   networks (e.g., IP, SONET, ATM).  Since the protocol encapsulates
   PPP, L2TP inherits PPP authentication, as well as the PPP Encryption
   Control Protocol (ECP) (described in [10]), and the Compression
   Control Protocol (CCP) (described in [9]).  L2TP also includes
   support for tunnel authentication, which can be used to mutually
   authenticate the tunnel endpoints.  However, L2TP does not define
   tunnel protection mechanisms.

   IPsec is a protocol suite which is used to secure communication at
   the network layer between two peers.  This protocol is comprised of
   IP Security Architecture document [6], IKE, described in [7], IPsec
   AH, described in [3] and IPsec ESP, described in [4].  IKE is the key
   management protocol while AH and ESP are used to protect IP traffic.

   This document proposes use of the IPsec protocol suite for protecting
   L2TP traffic over IP networks, and discusses how IPsec and L2TP
   should be used together.  This document does not attempt to

Patel, et al.               Standards Track                     [Page 2]
RFC 3193               Securing L2TP using IPsec           November 2001

   standardize end-to-end security.  When end-to-end security is
   required, it is recommended that additional security mechanisms (such
   as IPsec or TLS [14]) be used inside the tunnel, in addition to L2TP
   tunnel security.

   Although L2TP does not mandate the use of IP/UDP for its transport
   mechanism, the scope of this document is limited to L2TP over IP
   networks.  The exact mechanisms for enabling security for non-IP
   networks must be addressed in appropriate standards for L2TP over
   specific non-IP networks.
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools