RFC 2888 (rfc2888) - Page 2 of 19


Secure Remote Access with L2TP



Alternative Format: Original Text Document



RFC 2888             Secure Remote Access with L2TP          August 2000


   The document suggests an approach by which remote access over the
   Internet could become a reality. The approach is founded on the
   well-known techniques and protocols already in place. Remote Access
   extensions based on L2TP, when combined with the security offered by
   IPSec can make remote access over the Internet a reality. The
   approach does not require inventing new protocol(s).

   The trust model of remote access discussed in this document is viewed
   principally from the perspective of an enterprise into which remote
   access clients dial-in. A remote access client may or may not want to
   enforce end-to-end IPsec from his/her end to the enterprise.
   However, it is in the interest of the enterprise to mandate security
   of every packet that it accepts from the Internet into the
   enterprise.  Independently, remote users may also pursue end-to-end
   IPsec, if they choose to do so. That would be in addition to the
   security requirement imposed by the enterprise edge device.

   Section 2 has reference to the terminology used throughout the
   document. Also mentioned are the limited scope in which some of these
   terms may be used in this document. Section 3 has a brief description
   of what constitutes remote access. Section 4 describes what
   constitutes network security from an enterprise perspective.  Section
   5 describes the model of secure remote access as a viable solution to
   enterprises. The solution presented in section 5 has some
   limitations. These limitations are listed in section 6.  Section 7 is
   devoted to describing new RADIUS attributes that may be configured to
   turn a NAS device into Secure Remote Access Server.

2. Terminology and scope

   Definition of terms used in this document may be found in one of (a)
   L2TP Protocol document [Ref 1], (b) IP security Architecture document
   [Ref 5], or (c) Internet Key Exchange (IKE) document [Ref 8].

   Note, the terms Network Access Server (NAS) and  Remote Access
   Server(RAS) are used interchangeably throughout the document.  While
   PPP may be used to carry a variety of network layer packets, the
   focus of this document is limited to carrying IP datagrams only.

   "Secure Remote Access Server" (SRAS) defined in this document refers
   to a NAS that supports tunnel-mode IPsec with its remote clients.
   Specifically, LNS is the NAS that is referred. Further, involuntary
   tunneling is assumed for L2TP tunnel setup, in that remote clients
   initiating PPP session and the LAC that tunnels the PPP sessions are
   presumed to be distinct physical entities.






Srisuresh                    Informational