[j-nsp] Juniper and L2TPv3?
shane at castlepoint.net
Thu Jan 13 23:51:04 EST 2005
On Jan 13, 2005, at 7:44 PM, Christopher Morrow wrote:
> On Jan 14, 2005, at 2:08 AM, Christopher Morrow wrote:
>> On Jan 13, 2005, at 9:22 AM, Zvezdelin Vladov wrote:
>>> Hi All,
>>> I have one quick question....
>>> Does anyone know if Juniper supports L2TPv3 in their M-Series or any
>>> other series?
>>> Can you please refer me to a document on their website stating the
>>> L2TPv3 support
>>> or exactly the opposite?
>> Don't have a document reference, but I recall that their answer to
>> 'we want you to do l2tpv3 because it's standards based' was: "uhm,
>> use CCC" to which the reply
> I was reminded that the 'uhm, use ccc' was actually 'uhm, use GRE' ...
> I'm forgetting right now the push for l2tpv3 instead of GRE, for that
> I also apologize :(
One advantage of L2TPv3 over GRE is potentially stronger resilience
against attacks on the data plane. I say "potentially stronger",
because the Cookie field is optional in L2TPv3. (An L2TPv3 cookie is
an [up to] 8-byte randomly generated nonce that verifies received
packets are correlated with the Session ID in the packet, to prevent
against blind, insertion attacks). Cookies aren't a panacea, but IMO
they significantly raise the bar in protecting routine, non-sensitive
VPN data, without imposing the processing overhead required by IPsec.
Refer to Section 8.2 (and 8.1) of the L2TPv3 draft for more info on
In the end, L2TPv3 is just another tool in the toolbox. With respect
to securing GRE, RFC2890 proposes a 4-Byte key & sequence numbers for
GRE packets, which arguably provides equivalent security to L2TPv3
Session ID's & Cookies -- however, I can't tell if Juniper implements
Finally, one could put MPLS [PWE3|2547] in GRE in IPsec (possibly back
in MPLS, for fun :-). This probably already works on Junipers -- I
haven't played with it, but they've got all the protocols there :-).
Although this will give you excellent security (assuming IPsec
encryption/authentication of payloads) and may be useful is some
limited situations, it is certainly a complex design with a lot of
overhead and, IMO, it would be difficult to deploy, and maintain, on a
medium- to large-scale.
More information about the juniper-nsp