RFC 2888 (rfc2888) - Page 2 of 19
Secure Remote Access with L2TP
Alternative Format: Original Text Document
RFC 2888 Secure Remote Access with L2TP August 2000
The document suggests an approach by which remote access over the
Internet could become a reality. The approach is founded on the
well-known techniques and protocols already in place. Remote Access
extensions based on L2TP, when combined with the security offered by
IPSec can make remote access over the Internet a reality. The
approach does not require inventing new protocol(s).
The trust model of remote access discussed in this document is viewed
principally from the perspective of an enterprise into which remote
access clients dial-in. A remote access client may or may not want to
enforce end-to-end IPsec from his/her end to the enterprise.
However, it is in the interest of the enterprise to mandate security
of every packet that it accepts from the Internet into the
enterprise. Independently, remote users may also pursue end-to-end
IPsec, if they choose to do so. That would be in addition to the
security requirement imposed by the enterprise edge device.
Section 2 has reference to the terminology used throughout the
document. Also mentioned are the limited scope in which some of these
terms may be used in this document. Section 3 has a brief description
of what constitutes remote access. Section 4 describes what
constitutes network security from an enterprise perspective. Section
5 describes the model of secure remote access as a viable solution to
enterprises. The solution presented in section 5 has some
limitations. These limitations are listed in section 6. Section 7 is
devoted to describing new RADIUS attributes that may be configured to
turn a NAS device into Secure Remote Access Server.
2. Terminology and scope
Definition of terms used in this document may be found in one of (a)
L2TP Protocol document [Ref 1], (b) IP security Architecture document
[Ref 5], or (c) Internet Key Exchange (IKE) document [Ref 8].
Note, the terms Network Access Server (NAS) and Remote Access
Server(RAS) are used interchangeably throughout the document. While
PPP may be used to carry a variety of network layer packets, the
focus of this document is limited to carrying IP datagrams only.
"Secure Remote Access Server" (SRAS) defined in this document refers
to a NAS that supports tunnel-mode IPsec with its remote clients.
Specifically, LNS is the NAS that is referred. Further, involuntary
tunneling is assumed for L2TP tunnel setup, in that remote clients
initiating PPP session and the LAC that tunnels the PPP sessions are
presumed to be distinct physical entities.
Srisuresh Informational