L2TPv3
Click on the red underlined text to get to the source
... payload. After defining the MPLS
over L2TPv3 encapsulation procedure, other MPLS over IP encapsulation ...
... are discussed in context with MPLS over L2TPv3 in an Applicability
section. This document only describes encapsulation and does not
...
... concern itself with all possible MPLS-based applications that may be
enabled over L2TPv3.
...
... payload over an IP network, utilizing the L2TPv3 encapsulation
defined in [RFC3931]. The MPLS Label Stack ...
...
When encapsulating MPLS over L2TPv3, the L2TPv3 L2-Specific Sublayer
MAY be present. It is generally not present; hence, it is not
...
... When encapsulating MPLS over L2TPv3, the L2TPv3 L2-Specific Sublayer
MAY be present. It is generally not present; hence, it is not
included in Figure 2.2. The L2TPv3 ...
... L2TPv3 L2-Specific Sublayer
MAY be present. It is generally not present; hence, it is not
included in Figure 2.2. The L2TPv3 Session ID MUST be present. The
Cookie ...
... Cookie (see description below) is present, the value it was
assigned, the presence and type of an L2TPv3 L2-Specific Sublayer,
as well as what type of tunneled encapsulation follows (i.e.,
...
... Cookie must be
selected and exchanged between participating nodes before L2TPv3 can
operate. These values may be configured manually, or distributed via
a signaling protocol ...
... IP network. Cases where
MPLS over L2TPv3 is comparable to other alternatives are discussed in
this section.
...
... spoofing attack will
succeed. L2TPv3 provides an additional level of protection against
packet spoofing ...
... Access Control List (ACL) filters). Checking the value of the L2TPv3
Cookie is similar to any sort of ACL ...
... packet header, except that we give ourselves the luxury of "seeding"
the L2TPv3 header with a value that is very difficult to spoof.
...
...
Two routers are already "adjacent" over an L2TPv3 tunnel
established for some other reason, and wish to exchange MPLS
packets ...
... Implementation considerations dictate the use of MPLS over L2TPv3.
For example, a hardware device may be able to take advantage of
...
... For example, a hardware device may be able to take advantage of
the L2TPv3 encapsulation for faster or distributed processing.
Packet spoofing ...
... cumbersome to maintain at all edge points at all times. The
L2TPv3 Cookie provides a simple means of validating the source of
an L2TPv3 ...
... L2TPv3 Cookie provides a simple means of validating the source of
an L2TPv3 packet before allowing processing to continue. This
validation offers an additional level of protection ...
... by [MPLS-IPSEC]. Further, MPLS over L2TPv3 may be faster in some
hardware, particularly if that hardware ...
... hardware, particularly if that hardware is already optimized to
classify incoming L2TPv3 packets carrying IP framed in a variety of
ways. For example, IP ...
... at all unless the decapsulator of MPLS over L2TPv3 validates the IP
source address of the packet.
...
... Validation" considerations in
Section 6.2 of this document apply. Those two sections highlight the
benefits of the L2TPv3 Cookie.
...
... 64-bit value that is
kept secret from an off-path attacker, the L2TPv3 Cookie may be used
as a simple yet effective packet source authentication ...
... spoofing a permitted source IP address. The L2TPv3 Cookie provides a
means of validating the currently assigned Session ID ...
... data plane (such as that provided by
IPsec), the L2TPv3 Cookie provides a simple method of validating the
...
... Session ID lookup performed on each L2TPv3 packet. If the Cookie is
sufficiently random and remains unknown to an attacker ...
...
The MPLS over L2TPv3 encapsulated packets should be considered as
originating at the tunnel head and being destined for the tunnel ...
... the packet MUST be discarded.
Securing L2TPv3 using IPsec MUST provide authentication and
integrity. (Note that the authentication and integrity ...
... Lau, J., Townsley, M., and I. Goyret, "Layer Two Tunneling Protocol - Version 3 (L2TPv3)", RFC 3931prop, March 2005. ...