L2TP … IP SEC

LOGO
L2TP (Layer 2 tunneling protocol)

 DEFINITION:
 In computer networking, Layer 2 Tunneling Protocol
(L2TP) is a tunneling protocol used to support
virtual private networks (VPNs) or as part of the
delivery of services by ISPs. It does not provide any
encryption or confidentiality by itself. Rather, it relies
on an encryption protocol that it passes within the
tunnel to provide privacy.
 Layer Two Tunneling Protocol (L2TP) is an extension of
the Point-to-Point Tunneling Protocol (PPTP) used by an
Internet service provider (ISP) to enable the operation
of a virtual private network (VPN) over the Internet.
 Prepared by : ZEK
L2TP (Layer 2 tunneling protocol)
 History
 Published in 1999 as proposed standard RFC 2661, L2TP
has its origins primarily in two older tunneling
protocols for point-to-point communication: Cisco's
Layer 2 Forwarding Protocol (L2F) and Microsoft's
Point-to-Point Tunneling Protocol (PPTP).
A new version of this protocol, L2TPv3, appeared as
proposed standard RFC 3931 in 2005. L2TPv3 provides
additional security features, improved encapsulation,
and the ability to carry data links other than simply
Point-to-Point Protocol (PPP) over an IP network (for
example: Frame Relay, Ethernet, ATM, etc.).

 Prepared by : ZEK
L2TP (Layer 2 tunneling protocol)
 Description
 The entire L2TP packet, including payload and L2TP
header, is sent within a User Datagram Protocol
(UDP) datagram.
 It is common to carry PPP sessions within an L2TP
tunnel. L2TP does not provide confidentiality or
strong authentication by itself.
 IPsec is often used to secure L2TP packets by
providing confidentiality, authentication and
integrity. The combination of these two protocols is
generally known as L2TP/IPsec

 Prepared by : ZEK
L2TP (Layer 2 tunneling protocol)
 The two endpoints of an L2TP tunnel are called the LAC
(L2TP Access Concentrator) and the LNS (L2TP Network
Server).
 The L2TP LNS waits for new tunnels. Once a tunnel is
established, the network traffic between the peers is
bidirectional.
 To be useful for networking, higher-level protocols are
then run through the L2TP tunnel. To facilitate this, an
L2TP session (or 'call') is established within the tunnel
for each higher-level protocol such as PPP.
 Either the LAC or LNS may initiate sessions. The traffic
for each session is isolated by L2TP, so it is possible to
set up multiple virtual networks across a single tunnel.
MTU should be considered when implementing L2TP.
 Prepared by : ZEK
L2TP (Layer 2 tunneling protocol)
 The packets exchanged within an L2TP tunnel are
categorized as either control packets or data
packets. L2TP provides reliability features for the
control packets, but no reliability for data packets.
Reliability, if desired, must be provided by the nested
protocols running within each session of the L2TP
tunnel.
 L2TP allows the creation of a virtual private dialup
network (VPDN) to connect a remote client to its
corporate network by using a shared infrastructure,
which could be the Internet or a service provider's
network.

 Prepared by : ZEK
L2TP (Layer 2 tunneling protocol)

 Prepared by : ZEK
IP SEC

 Prepared by : ZEK
IP SEC (Internet Security)
 DIFINATIOON:
 In computing, Internet Protocol Security (IPsec) is a network
protocol suite that authenticates and encrypts the packets of
data sent over a network. IPsec includes protocols for
establishing mutual authentication between agents at the
beginning of the session and negotiation of cryptographic keys
for use during the session.
 IP-level security encompasses three functional areas:
authentication, confidentiality, and key management. The
authentication mechanism assures that a received packet was
transmitted by the party identified as the source in the packet
header, and that the packet has not been altered in transit. The
confidentiality facility enables communicating nodes to encrypt
messages to prevent eavesdropping by third parties. The key
management facility is concerned with the secure exchange of
keys. IPSec provides the capability to secure communications
across a LAN, across private and public WANs, and across the
Internet.
 Prepared by : ZEK
IP SEC (Internet Security)
 History
 In December 1993, the Software IP Encryption protocol swIPe
(protocol) was researched at Columbia University and
AT&T Bell Labs by John Ioannidis and others.
 In December 1994, it was deployed for the first time in
production for securing some remote sites between east and
west coastal states of the United States.
 In 1995, The IPsec working group in the IETF was started to
create an open freely available and vetted version of protocols
that had been developed under NSA contract in the
Secure Data Network System (SDNS) project.
 IPsec is officially standardised by the
Internet Engineering Task Force (IETF) in a series of
Request for Comments documents addressing various
components and extensions. It specifies the spelling of the
protocol name to be IPsec.
 Prepared by : ZEK
IP SEC (Internet Security)
 Security architecture:
 The IPsec suite is an open standard. IPsec uses the following protocols
to perform various functions:
 Authentication Headers (AH) provide connectionless data integrity and
data origin authentication for IP datagrams and provides protection
against replay attacks.
 Encapsulating Security Payloads (ESP) provide confidentiality, data-
origin authentication, connectionless integrity, an anti-replay service (a
form of partial sequence integrity), and limited traffic-flow
confidentiality.
 Security Associations (SA) provide the bundle of algorithms and data
that provide the parameters necessary for AH and/or ESP operations.
The Internet Security Association and Key Management Protocol
(ISAKMP) provides a framework for authentication and key exchange,
with actual authenticated keying material provided either by manual
configuration with pre-shared keys, Internet Key Exchange (IKE and
IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY
DNS records
 Prepared by : ZEK
IP SEC (Internet Security)

 IPSec provides security in three situations:

 Prapared by : ZEK
IP SEC (Internet Security)
Transport mode
 In transport mode, only the payload of the IP packet
is usually encrypted or authenticated. The routing is
intact, since the IP header is neither modified nor
encrypted; however, when the authentication header
is used, the IP addresses cannot be modified by
network address translation, as this always
invalidates the hash value. The transport and
application layers are always secured by a hash, so
they cannot be modified in any way, for example by
translating the port numbers.

 Prapared by : ZEK
IP SEC (Internet Security)
 Tunnel mode
 In tunnel mode, the entire IP packet is
encrypted and authenticated. It is then
encapsulated into a new IP packet with a
new IP header. Tunnel mode is used to create
virtual private networks for network-to-
network communications (e.g. between
routers to link sites), host-to-network
communications (e.g. remote user access) and
host-to-host communications (e.g. private
chat).
 Prapared by : ZEK
IP SEC (Internet Security)

 Prapared by : ZEK
IP SEC (Internet Security)

Original IP header TCP header DATA

Transport IP header Ipsec header TCP header DATA

Tunnel IP header Ipsec header ip header TCP

 Prapared by : ZEK
IP SEC (Internet Security)

 Prapared by : ZEK
Prapared by : Zekeria Muzafar
LOGO