The Remote Access Conundrum Part 2:
Tunneling at Layer Two

AT&T's approach to managed VPN services—multiprotocol support and simple client software—has much to teach us about structuring such a business line. The main take-away: One size does not fit all customers.

Lisa Phifer
VP Core Competence, Inc.
[December 22, 2000]

To offer a successful remote access VPN service, an ISP must master many challenges, ranging from trouble-free client software installation to back-end user database integration. In a previous column, we discussed issues associated with remote access VPNs based on IPsec, the standard network-layer tunneling protocol. In today's column, we'll examine another alternative: the standard Layer Two Tunneling Protocol (L2TP).

Tunneling PPP
L2TP is a standard method for tunneling PPP across the Internet or any intervening IP or non-IP network. Unlike IPsec, L2TP was designed specifically to support traditional remote access.

L2TP creates a "virtual modem connection" from a dial-up client to an enterprise network. Physically, the client's call is terminated by an L2TP access concentrator at the provider's POP. But, logically, the client is connected to the customer's own network server, back at corporate headquarters. In between, L2TP encapsulates PPP and tunnels it transparently across the provider's backbone. L2TP lets the enterprise retain control over traditional RAS functions like user authentication and dynamic address assignment, while outsourcing call termination and transport functions to a service provider.

The L2TP standard was derived, in part, from Cisco's Layer 2 Forwarding (L2F) protocol and Microsoft's Point-to-Point Tunneling Protocol (PPTP). Today, there are many service providers that offer remote access VPN services based on L2TP, L2F, and/or PPTP. For example, AT&T's Managed VPN Tunneling Service supports L2TP, L2F, and IPsec. We asked Jonathan Cohen, Director of AT&T's Advanced IP Network Services, why AT&T offers so many alternatives.

Meeting customer requirements
"No one solution is going to work for all customers; there are different requirements," said Cohen. Today, over 50 percent of the data network market runs over AT&T's ATM, Frame Relay, dial, or broadband transport services. Offering value-added services like VPN to a large, diverse customer base can be quite a challenge.

"We support several tunneling protocols because we've had to meet existing customer needs," said Cohen. "We're in a different position than green-field carriers. AT&T has been offering multiprotocol tunneling for a very long time now, and we know that you have to examine each application to determine the best approach. Ultimately, VPN is an implementation, not a service. Protocol selection is a matter of deciding how to implement the VPN for a specific customer."

Choosing a tunneling protocol
To appreciate what's involved, let's examine some of the fundamental differences between these tunneling protocols.

IPsec provides digitally-signed, encrypted communication between mutually authenticated devices. IPsec is great for securing site-to-site (gateway-to-gateway) traffic over an IP backbone. It can also support secure host-to-host connections. Although IPsec can tunnel from client to gateway, extensions are usually needed to satisfy user authentication and dynamic addressing requirements.

Layer two tunneling protocols (L2F and L2TP) leverage functions provided by PPP: data-independent framing, ability to multiplex IP and non-IP network protocols, user-level PAP/CHAP authentication, dynamic address assignment, and the ability to negotiate session attributes like compression.

Cisco's L2F provides controlled, authenticated access to an entire network, reached through a "home gateway". L2F tunnels are compulsory: a client dials into a network access server (NAS). The NAS recognizes that tunneling is required and multiplexes PPP over UDP to the home gateway. L2F tunnels are completely transparent to clients, but require NAS support.

Go to page 2: Standard L2TP