RFC 3193 (rfc3193) - Page 2 of 28
Securing L2TP using IPsec
Alternative Format: Original Text Document
RFC 3193 Securing L2TP using IPsec November 2001
Table of Contents
1. Introduction .................................................. 2
1.1 Terminology .................................................. 3
1.2 Requirements language ........................................ 3
2. L2TP security requirements ................................... 4
2.1 L2TP security protocol ....................................... 5
2.2 Stateless compression and encryption ......................... 5
3. L2TP/IPsec inter-operability guidelines ....................... 6
3.1. L2TP tunnel and Phase 1 and 2 SA teardown ................... 6
3.2. Fragmentation Issues ........................................ 6
3.3. Per-packet security checks .................................. 7
4. IPsec Filtering details when protecting L2TP .................. 7
4.1. IKE Phase 1 Negotiations .................................... 8
4.2. IKE Phase 2 Negotiations .................................... 8
5. Security Considerations ....................................... 15
5.1 Authentication issues ........................................ 15
5.2 IPsec and PPP interactions ................................... 18
6. References .................................................... 21
Acknowledgments .................................................. 22
Authors' Addresses ............................................... 23
Appendix A: Example IPsec Filter sets ............................ 24
Intellectual Property Statement .................................. 27
Full Copyright Statement ......................................... 28
1. Introduction
L2TP [1] is a protocol that tunnels PPP traffic over variety of
networks (e.g., IP, SONET, ATM). Since the protocol encapsulates
PPP, L2TP inherits PPP authentication, as well as the PPP Encryption
Control Protocol (ECP) (described in [10]), and the Compression
Control Protocol (CCP) (described in [9]). L2TP also includes
support for tunnel authentication, which can be used to mutually
authenticate the tunnel endpoints. However, L2TP does not define
tunnel protection mechanisms.
IPsec is a protocol suite which is used to secure communication at
the network layer between two peers. This protocol is comprised of
IP Security Architecture document [6], IKE, described in [7], IPsec
AH, described in [3] and IPsec ESP, described in [4]. IKE is the key
management protocol while AH and ESP are used to protect IP traffic.
This document proposes use of the IPsec protocol suite for protecting
L2TP traffic over IP networks, and discusses how IPsec and L2TP
should be used together. This document does not attempt to
Patel, et al. Standards Track