At this point, the connectivity is a point-to-point PPP session whose endpoints are the remote

user's networking application on one end and the termination of this connectivity into the LNS's PPP support on the other. Because the remote user has become simply another dial-up client of the LNS, client connectivity can now be managed using traditional mechanisms with respect to further

authorization, protocol access, and packet filtering.

Using VPDN Technologies

Although the L2TP protocol is what is being worked on in the standards track, L2F and PPTP implementations will still be available from a variety of vendors. Effectively, all three technologies support similar functionality. However, L2TP will probably have more vendor support because it is on the standards track. When considering whether to implement any of the Virtual Private Dial-up Network (VPDN) technologies into a corporate network environment, the differences between the standard

Internet access service and the virtual dial-up service should be considered. There are significant differences with respect to authentication, authorization, address allocation, and accounting.

The details of the differences between these services and the problems presented by these differences are described in the following sections. The mechanisms used for virtual dial-up service are intended to coexist with more traditional mechanisms; an ISP's POP should simultaneously service ISP clients and virtual dial-up clients.

Authentication

In a traditional dial-up scenario, an ISP using a NAS in conjunction with a security server follows an authentication process by challenging the remote user for both a username and password. If the remote user passes this phase, the authorization phase can begin.

For the virtual dial-up service, the ISP pursues authentication to the extent required to discover the user's apparent identity (and by implication, the desired corporate gateway). No password interaction is

performed at this point.

information gathered by the ISP. The corporate gateway completes the authentication by either accepting or rejecting the connection. (For example, the connection is rejected in a PAP request in which the

username or password is found to be incorrect.) After the connection is accepted, the corporate gateway can pursue another phase of authentication at the PPP layer. These additional authentication activities are outside the scope of the specification but can include proprietary PPP extensions or textual challenges carried within a TCP/IP Telnet session.

Note For each L2TP tunnel established, L2TP tunnel security generates a unique random key to resist

spoofing attacks. Within the L2TP tunnel, each multiplexed session maintains a sequence number to prevent the duplication of packets.

Authorization

When providing a traditional dial-up service, the ISP is required to maintain per-user profiles defining the authorization. Thus a security server could interact with the NAS to provide policy-based usage to connecting users based on their authentication. These policy statements can range from simple

source/destination filters for a handful of sites to complex algorithms that determine specific

applications, time of day access, and a long list of permitted or denied destinations. This process can become burdensome to the ISP, especially if it is providing access to remote users on behalf of corporations that require constant change to this policy.

In the virtual dial-up service, the burden of providing detailed authorization based on policy statements is given directly to the remote user's corporation. By allowing end-to-end connectivity between remote users and the corporate gateway, all authorization can be performed as if the remote users had dialed directly into the corporate location. This setup frees the ISP from having to maintain a large database of individual user profiles for many different corporations. More importantly, the virtual dial-up service becomes more secure for the corporations using it because it allows the corporations to quickly react to changes in their remote user community.

Addressing

For a traditional Internet service, the user accepts that the IP address may be allocated dynamically from a pool of service provider addresses. This model often means that remote users have little or no access to their corporate network's resources because firewalls and security policies deny access to the corporate network from external IP addresses.

For the virtual dial-up service, the corporate gateway can exist behind the corporate firewall and allocate addresses that are internal (and that can, in fact, be RFC 1597 addresses or non-IP addresses). Because L2TP tunnels operate exclusively at the frame layer, the actual policies of such address management are irrelevant to correct virtual dial-up service; for all purposes of PPP protocol handling, the dial-in user appears to have connected at the corporate gateway.

Accounting

The requirement that both the NAS and the corporate gateway provide accounting data can mean that they may count packets, octets, and connection start and stop times.

Because virtual dial-up is an access service, accounting of connection attempts (in particular, failed connection attempts) is of significant interest. The corporate gateway can reject new connections based on the authentication information gathered by the ISP, with corresponding logging. For cases where the corporate gateway accepts the connection and then continues with further authentication, the corporate gateway can subsequently disconnect the client. For such scenarios, the disconnection indication back to the ISP can also include a reason for why the disconnect occurred.

Because the corporate gateway can decline a connection based on the authentication infor-mation collected by the ISP, accounting can easily draw a distinction between a series of failed connection attempts and a series of brief successful connections. Lacking this facility, the corporate gateway must always accept connection requests and would have to exchange numerous PPP packets with the remote system.

Advantages of Using VPDNs

Table 2-2 shows the advantages of a virtual dial-up service.

Table 2-2: Advantages of VPDN Services

Features Benefits

Multiprotocol support ISP can provide multiprotocol services over an IP-only backbone, leveraging facilities, management techniques, personnel, and applied training of the current infrastructure. User authentication performed

at remote user's corporation

ISP is not required to maintain a per-user authentication database. ISP does not have to respond to organizational

changes at the corporate location. Corporations are not required to "trust" the ISP's authentication procedures.

User authorization performed at remote user's corporation

ISP is not required to maintain per-user access lists. Simplified firewall management. Corporations can enforce their own security policies.

Simultaneous support for local access

The NAS can be used by theISP for both standard Internet access and the virtual dial-up service, reducing costs, equipment, and infrastructure requirements.

Address allocation performed by remote user's corporation using end-to-end tunnels

The ISP is not required to maintain the corporation's address space within the ISP network. This minimizes the route table carried by the ISP, improves scalability, and supports the corporate use of unregistered addresses across the Internet and public networks.

Media independence The ISP can leverage any media (Frame Relay, ATM, Point-to-Point, X.25) in the backbone to support the virtual dial-up service.

Dynamic tunnel Tunnels are initiated and management torn down based on L2TP management. This setup provides a scalable solution because tunnels are initiated only when user traffic is active. Minimizes the NAS resources required to maintain tunnels. Multiple remote user sessions

are multiplexed over a single L2TP tunnel

This is a scalable solution because it minimizes the number of tunnels required to be open at a given time. PVC-based

backbone infrastructures such as Frame Relay need only a single PVC between the NAS and the corporate gateway to manage multiple remote user sessions.

Tunnel security maintains random key and sequence numbers

Tunnel establishment involves a NAS

(ISP)-to-corporate-gateway authentication process to protect against attacks. In addition, L2TP resists spoofing by using sequence numbers.

No routing protocol dependencies

Neither the ISP nor the corporate customer is required to manage the other's routing domain to provide access and services, freeing both to use whichever routing protocols suits them best.

Additional Considerations

With any of the VPDN technologies, PPP authentication is used to authenticate users or devices; tunnel endpoints may periodically re-authenticate. However, there is no protection for individual packets (either data or control) that traverse the established tunnel. There is work in progress that proposes using IPsec transport mode to secure the VPDN tunnel traffic. In addition, for individual data packets traveling through the VPDN tunnel, security services including authentication, integrity, replay protection, and confidentiality can be provided by using IPsec in conjunction with L2F, PPTP, or L2TP.