Internet Draft
PPP Working Group Pat R. Calhoun
INTERNET-DRAFT 3Com Corporation
Category: Internet Draft W. Mark Townsley
Title: draft-ietf-pppext-l2tp-sec-00.txt IBM Corporation
Date: June 1997
Expires: December 1997
Layer Two Tunneling Protocol "L2TP"
Security Extensions for Non-IP networks
Status of this Memo
This document is an Internet-Draft. Internet-Drafts are working doc-
uments of the Internet Engineering Task Force (IETF), its areas, and
its working groups. Note that other groups may also distribute work-
ing documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months. Internet-Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet-
Drafts as reference material or to cite them other than as a ``work-
ing draft'' or ``work in progress.''
To learn the current status of any Internet-Draft, please check the
1id-abstracts.txt listing contained in the Internet-Drafts Shadow
Directories on ds.internic.net, nic.nordu.net, ftp.nisc.sri.com, or
munnari.oz.au.
Abstract
The L2TP Document [1] defines the base protocol which describes the
method of tunneling PPP [2] data. The spec states that the
security mechanism used over an IP network is to use the IETF's
IPSEC protocols.
L2TP was designed in such a way as to be able to run over any
underlying layer (i.e. Frame Relay, ATM, etc.). This document specifies
extensions to the L2TP protocol in order to provide authentication
and integrity of individual packets in a tunneled session over a
non-IP network. It does not intend to provide a mechanism for
encryption of packets.
Calhoun expires January 1997 [Page 1]
�
INTERNET DRAFT June 1997
1.0 Introduction
The L2TP protocol specification describes that the IPSEC protocols
MUST be used over an IP network. However, since L2TP can work over
ANY link layer, there is no method of ensuring security over those
links (if that link layer does not in turn provide its own security
protocol).
This document will describe how authentication of L2TP packets will
be handled over non-IP networks.
1.1 Conventions
The following language conventions are used in the items of specifi-
cation in this document:
o MUST, SHALL, or MANDATORY -- This item is an absolute
requirement of the specification.
o SHOULD or RECOMMEND -- This item should generally be followed
for all but exceptional circumstances.
o MAY or OPTIONAL -- This item is truly optional and may be
followed or ignored according to the needs of the implementor.
Calhoun expires January 1997 [Page 2]
�
INTERNET DRAFT June 1997
2.0 L2TP Security Header Format
The L2TP Header has been modified in order to accommodate the new
Authentication extension. The header has a 'K' bit which indicates
that the authentication extension is present in the header. This
header is formatted:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|T|1|1|1|1|K|0| | Ver | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tunnel ID | Call ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Ns | Nr |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initialization Vector |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Integrity Check |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Integrity Check |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Integrity Check |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Message Type AVP... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... (8 bytes) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
In order for the Authentication Extension to be present, the 'K'
bit MUST be 1. The Initialization Vector field MUST contain a
random 128 bit value. The MIC (Message Integrity Check) contains
the most significant 96 bits of the HMAC-MD5 algorithm [3][4].
The behavior of the 'K' bit is identical on both the control and
data channel.
Calhoun expires January 1997 [Page 3]
�
INTERNET DRAFT June 1997
2.0 Protection Against Attacks
This section will define certain methods of protecting against
specific known types of attacks.
2.1 Denial of Service Attacks
There currently exists a Denial of Service Attack whereby a
malicious host can issue a stream of
Start-Control-Connection-Request messages to an L2TP host on a
network.
Although an implementation MUST time-out when a
Start-Control-Connection-Connected has not been received within a
given window, there is still a possibility that if the messages
were received fast enough the L2TP host would deplete its Control
Connection Control Blocks. This form of attack is aggravated when
the malicious host sends the packets with a random source IP
address.
One form of protection against this attack is to have a local list
of trusted hosts, however this does not scale very well when
providing a roaming service from anywhere on the Internet.
Furthermore, enforcing a security policy based on a source address
is a very weak form of protection.
Another method of protecting against this form of attack is to have
the 'K' bit set in the initial Start-Control-Connection-Request
message. The message would be signed with the common secret (or
key, see below for more details). This scheme will ensure that
only authenticated Start-Control-Connection-Requests will be
accepted, making this type of attack very inconvenient for a
malicious user to create.
In order for this scheme to be successful, it is imperative that
the base specification require that a base implementation which
does not support any extensions MUST reject a
Start-Control-Connection-Request message with a 'K' bit set.
2.2 Replay Attacks
One common attack is the replay attack. This requires that a
malicious user gain access to the network where packets are routed.
Calhoun expires January 1997 [Page 4]
�
INTERNET DRAFT June 1997
There are two different types of replay attacks in the current L2TP
protocol. The first is that since a secret is a long lived key
(known as the master key), a malicious user can retrieve the
Stop-Control-Connection-Request message from two L2TP peers and
replay it at a later date when an L2TP tunnel is active between
both peers.
This form of attack is further complicated by the fact that the
malicious user must inject the packet when the sequence number in
the replayed packet is within the window of the receiver. This can
be achieved using a brute force type attack by constantly sending
the packet until the L2TP host accepts it. One more complication
for the malicious user is the fact that the Tunnel and Call
identifiers MUST be the same in the new session being attacks. This
is not impossible, but improbable if the Tunnel and Call IDs are
randomly generated.
The second type of attack occurs when a user attempts to replay
data packets being tunneled. One good example of a packet to
replay would be a LCP Terminate Request message from a previous
session. In this case, again, the Tunnel and the Call IDs MUST be
identical for the L2TP peer to accept the packet.
However, if a malicious user was to simply snoop the network and
replay valid data packets from the current session it could
potentially create some form of denial of service for the user. A
good example of such a packet would be a TCP FIN packet (which are
very common when using the WEB which have many short-lived
connections). Since most TCP implementations do not have random
initial sequence numbers, this is a very simple attack.
In order to protect against such an attack it is recommended that
the L2TP flow control mechanism be enabled on the data path. This
will offer protection since a replay packet would only be accepted
once the window "rolled" over.
2.3 Compromise of the Master Key
Since tunnels may be long-lived and frequent, it is possible for
the master key to be compromised. A malicious user could gain many
valid samples and given enough resources could guess the master
key. This is a very serious problem which must be addressed.
One possible and simple method to protect against this is to have
both L2TP peers generate a session key when a tunnel is created.
This key would be transmitted in the
Calhoun expires January 1997 [Page 5]
�
INTERNET DRAFT June 1997
Start-Control-Connection-Request and the appropriate -Reply
message. Furthermore, a L2TP host would generate a new key
whenever it's Sn value would "roll" over. This would create a new
security association between both peers, and protect against
compromise of the master key.
This scheme would also protect against the replay of the data
packet described above since the key would be changed once the
Sequence number reached zero, making the replayed packet non-
authenticated.
3.0 Security Association Negotiation
This section will define the new message type and AVP which are
required for the security extensions of the L2TP protocol.
3.1 Start-Control-Connection-Request/-Reply
Session Key
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1|0|0|0| Length | 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ? | Encoded Session Key... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
A new AVP MAY be present in the tunnel initiation messages. When
present, the L2TP peer is indicating that a session key is to be
used to perform the message digest functions.
It is encoded as the Attribute ?, Mandatory, with the indicated
number of bytes representing the session key. This AVP is
optional.
When present the MIC in the L2TP header is computed using the
decoded Session Key and the key is encoded as follows:
encodedKey = MD5( IV | Master Key ) Xor Session Key
and decoded as follows:
decodedKey = MD5( IV | Master Key ) Xor encodedKey
Calhoun expires January 1997 [Page 6]
�
INTERNET DRAFT June 1997
3.1 Renegotiate-Security-Association
The Renegotiate-Security-Association message type is an L2TP
control message used to renegotiate a new security association.
It can be sent after establishment of the control connection.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| L2TP Control Message Header |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Renegotiate Security Association |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Session Key |
+-+-+-+-+-+-+-+-+
Renegotiate-Security-Association
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1|0|0|0| 8 | 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 | ? |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Message Type AVP contains a Value of ?, indicating
Renegotiate-Security-Association. The Flags indicate a mandatory
option. Details associated with this security renegotiation
session follow in additional AVP's within the packet.
Session Key
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|1|0|0|0| Length | 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ? | Encoded Session Key... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Session Key AVP contains a new session key for a control
channel. It is encoded as the Attribute ?, Mandatory, with the
indicated number of bytes representing the session key. This AVP
is mandatory.
Calhoun expires January 1997 [Page 7]
�
INTERNET DRAFT June 1997
When present the MIC in the L2TP header is computed using the
decoded Session Key and the key is encoded as follows:
encodedKey = MD5( IV | Previous Key ) Xor Session Key
and decoded as follows:
decodedKey = MD5( IV | Previous Key ) Xor encodedKey
4.0 Acknowledgments
I would like to thank Baiju Patel from Intel Corp. and Sumit Vakil
for their assistance.
5.0 Contacts
Pat R. Calhoun
3Com Corporation
1800 Central Ave.
Mount Prospect, Il, 60056
pcalhoun@usr.com
(847) 342-6898
W. Mark Townsley
IBM Corporation
700 Park Office Drive
Research Triangle Park, NC 27709
wmt@raleigh.ibm.com
(919) 543-7522
6.0 References
[1] K. Hamzeh, T. Kolar, M. Littlewood, G. Singh Pall, J. Taarud,
A. J. Valencia, W. Verthein "Layer Two Tunneling Protocol (L2TP)",
Internet draft, March 1997
[2] W. Simpson, "The Point-to-Point Protocol (PPP)", RFC 1661,
7/21/1994
[3] H. Krawczyk, M. Bellare, R. Canetti, "HMAC: Keyed-Hashing for
Message Authentication", RFC 2104, February 1997
[4] R. Rivest, "The MD5 Message-Digest Algorithm", RFC 1321,
4/16/1992
Calhoun expires January 1997 [Page 8]
�