Re: I-D: Simple Configured Tunnel Setup Procedure

[Gert Doering <gert@space.net>]

Hi,

On Fri, Nov 21, 2003 at 10:18:23PM +0200, Pekka Savola wrote:
> However, I would not want to discount L2TP as a solution.  Could
> someone describe the infrastructure required a bit -- both at the
> user, router and the other parts?

OK, I'll give it a try.


The formal specs can be found in rfc2661, so I'll try to be very brief 
here.

The pieces that form L2TP are:

 - UDP packets (port 1701)
 - PPP frames packed into those
 - plus some control stuff to glue the bits together (session mgmt)

So what really happens "down there" is that you run a normal PPP session
with all possible protocol-CPs (IPCP, IPV6CP, IPXCP, ...) inside a IPv4
UDP data stream.  The infrastructure in between, including NATs, just 
needs to know how to handle UDP (so it should be possible to run multiple
L2TP sessions from behind the same NAT, but I haven't tested that one 
yet).


On the client side, you (obviously) need a L2TP implementation.  On Linux,
the l2tp engine uses the stock system pppd for the PPP option and protocol
negotiation.  So as soon as you have a kernel that speaks IPv6 and a 
pppd that can do IPV6CP and setup IPV6 on the link, you're done.

Most client operating systems these days come with a L2TP implementation,
and adding IPv6 to the underlying PPP implementation should be something
the vendors are doing anyway (to support direct PPP via POTS/ISDN, or
PPPoE, etc., with IPv6).


On the server side, there is an implementation of L2TP for Linux (the
same implementation that also does the client side).  Allegedly it does
scale "well", but I have no idea how well.

A "standard" ISP would run the L2TP on his access servers that are
needed anyway to do end-customer dynamic DSL access (client side PPPoE 
that ends up in L2TP packets).  That access server would then do PPP
authentication versus some sort of AAA server, e.g. RADIUS, and the
Radius server sends down static IPv6 prefixes, or "allocate something
from the IPv6 pool <xyz>".  For anonymous/unregistered access, you'd need 
to do some sort of "everybody uses the same account" and make sure via
radius configuration that they get different addresses each.

For the router vendor, what needs to be done to get this working is 
(roughly, assuming basic IPv6 functionality is there):

  - add IPv6 functionality to PPP
  - implement some sort of RADIUS configuration management to get
    IPv6 attributes
  - implement IPv6 address pools for dynamic client assignments

all of which is needed for "PPP over ISDN/POTS with IPv6" anyway...


Conclusion: if, as an ISP (or a vendor of ISP hardware) you want to
support PPP over ISDN/POTS with IPv6 support, and at the same time you
want to support L2TP clients (DSL users), the required glue to get
IPv6 into L2TP should be very small.


The *overall* complexity of such a system is high, though.  The benefit
is only "most of it is there anyway".

Gert Doering
        -- NetMaster
-- 
Total number of prefixes smaller than registry allocations:  57386  (57785)

SpaceNet AG                 Mail: netmaster@Space.Net
Joseph-Dollinger-Bogen 14   Tel : +49-89-32356-0
80807 Muenchen              Fax : +49-89-32356-299