diff options
Diffstat (limited to 'Documentation/networking/l2tp.txt')
-rw-r--r-- | Documentation/networking/l2tp.txt | 247 |
1 files changed, 213 insertions, 34 deletions
diff --git a/Documentation/networking/l2tp.txt b/Documentation/networking/l2tp.txt index 63214b280e00..e7bf3979facb 100644 --- a/Documentation/networking/l2tp.txt +++ b/Documentation/networking/l2tp.txt | |||
@@ -1,44 +1,95 @@ | |||
1 | This brief document describes how to use the kernel's PPPoL2TP driver | 1 | This document describes how to use the kernel's L2TP drivers to |
2 | to provide L2TP functionality. L2TP is a protocol that tunnels one or | 2 | provide L2TP functionality. L2TP is a protocol that tunnels one or |
3 | more PPP sessions over a UDP tunnel. It is commonly used for VPNs | 3 | more sessions over an IP tunnel. It is commonly used for VPNs |
4 | (L2TP/IPSec) and by ISPs to tunnel subscriber PPP sessions over an IP | 4 | (L2TP/IPSec) and by ISPs to tunnel subscriber PPP sessions over an IP |
5 | network infrastructure. | 5 | network infrastructure. With L2TPv3, it is also useful as a Layer-2 |
6 | tunneling infrastructure. | ||
7 | |||
8 | Features | ||
9 | ======== | ||
10 | |||
11 | L2TPv2 (PPP over L2TP (UDP tunnels)). | ||
12 | L2TPv3 ethernet pseudowires. | ||
13 | L2TPv3 PPP pseudowires. | ||
14 | L2TPv3 IP encapsulation. | ||
15 | Netlink sockets for L2TPv3 configuration management. | ||
16 | |||
17 | History | ||
18 | ======= | ||
19 | |||
20 | The original pppol2tp driver was introduced in 2.6.23 and provided | ||
21 | L2TPv2 functionality (rfc2661). L2TPv2 is used to tunnel one or more PPP | ||
22 | sessions over a UDP tunnel. | ||
23 | |||
24 | L2TPv3 (rfc3931) changes the protocol to allow different frame types | ||
25 | to be passed over an L2TP tunnel by moving the PPP-specific parts of | ||
26 | the protocol out of the core L2TP packet headers. Each frame type is | ||
27 | known as a pseudowire type. Ethernet, PPP, HDLC, Frame Relay and ATM | ||
28 | pseudowires for L2TP are defined in separate RFC standards. Another | ||
29 | change for L2TPv3 is that it can be carried directly over IP with no | ||
30 | UDP header (UDP is optional). It is also possible to create static | ||
31 | unmanaged L2TPv3 tunnels manually without a control protocol | ||
32 | (userspace daemon) to manage them. | ||
33 | |||
34 | To support L2TPv3, the original pppol2tp driver was split up to | ||
35 | separate the L2TP and PPP functionality. Existing L2TPv2 userspace | ||
36 | apps should be unaffected as the original pppol2tp sockets API is | ||
37 | retained. L2TPv3, however, uses netlink to manage L2TPv3 tunnels and | ||
38 | sessions. | ||
6 | 39 | ||
7 | Design | 40 | Design |
8 | ====== | 41 | ====== |
9 | 42 | ||
10 | The PPPoL2TP driver, drivers/net/pppol2tp.c, provides a mechanism by | 43 | The L2TP protocol separates control and data frames. The L2TP kernel |
11 | which PPP frames carried through an L2TP session are passed through | 44 | drivers handle only L2TP data frames; control frames are always |
12 | the kernel's PPP subsystem. The standard PPP daemon, pppd, handles all | 45 | handled by userspace. L2TP control frames carry messages between L2TP |
13 | PPP interaction with the peer. PPP network interfaces are created for | 46 | clients/servers and are used to setup / teardown tunnels and |
14 | each local PPP endpoint. | 47 | sessions. An L2TP client or server is implemented in userspace. |
15 | 48 | ||
16 | The L2TP protocol http://www.faqs.org/rfcs/rfc2661.html defines L2TP | 49 | Each L2TP tunnel is implemented using a UDP or L2TPIP socket; L2TPIP |
17 | control and data frames. L2TP control frames carry messages between | 50 | provides L2TPv3 IP encapsulation (no UDP) and is implemented using a |
18 | L2TP clients/servers and are used to setup / teardown tunnels and | 51 | new l2tpip socket family. The tunnel socket is typically created by |
19 | sessions. An L2TP client or server is implemented in userspace and | 52 | userspace, though for unmanaged L2TPv3 tunnels, the socket can also be |
20 | will use a regular UDP socket per tunnel. L2TP data frames carry PPP | 53 | created by the kernel. Each L2TP session (pseudowire) gets a network |
21 | frames, which may be PPP control or PPP data. The kernel's PPP | 54 | interface instance. In the case of PPP, these interfaces are created |
55 | indirectly by pppd using a pppol2tp socket. In the case of ethernet, | ||
56 | the netdevice is created upon a netlink request to create an L2TPv3 | ||
57 | ethernet pseudowire. | ||
58 | |||
59 | For PPP, the PPPoL2TP driver, net/l2tp/l2tp_ppp.c, provides a | ||
60 | mechanism by which PPP frames carried through an L2TP session are | ||
61 | passed through the kernel's PPP subsystem. The standard PPP daemon, | ||
62 | pppd, handles all PPP interaction with the peer. PPP network | ||
63 | interfaces are created for each local PPP endpoint. The kernel's PPP | ||
22 | subsystem arranges for PPP control frames to be delivered to pppd, | 64 | subsystem arranges for PPP control frames to be delivered to pppd, |
23 | while data frames are forwarded as usual. | 65 | while data frames are forwarded as usual. |
24 | 66 | ||
67 | For ethernet, the L2TPETH driver, net/l2tp/l2tp_eth.c, implements a | ||
68 | netdevice driver, managing virtual ethernet devices, one per | ||
69 | pseudowire. These interfaces can be managed using standard Linux tools | ||
70 | such as "ip" and "ifconfig". If only IP frames are passed over the | ||
71 | tunnel, the interface can be given an IP addresses of itself and its | ||
72 | peer. If non-IP frames are to be passed over the tunnel, the interface | ||
73 | can be added to a bridge using brctl. All L2TP datapath protocol | ||
74 | functions are handled by the L2TP core driver. | ||
75 | |||
25 | Each tunnel and session within a tunnel is assigned a unique tunnel_id | 76 | Each tunnel and session within a tunnel is assigned a unique tunnel_id |
26 | and session_id. These ids are carried in the L2TP header of every | 77 | and session_id. These ids are carried in the L2TP header of every |
27 | control and data packet. The pppol2tp driver uses them to lookup | 78 | control and data packet. (Actually, in L2TPv3, the tunnel_id isn't |
28 | internal tunnel and/or session contexts. Zero tunnel / session ids are | 79 | present in data frames - it is inferred from the IP connection on |
29 | treated specially - zero ids are never assigned to tunnels or sessions | 80 | which the packet was received.) The L2TP driver uses the ids to lookup |
30 | in the network. In the driver, the tunnel context keeps a pointer to | 81 | internal tunnel and/or session contexts to determine how to handle the |
31 | the tunnel UDP socket. The session context keeps a pointer to the | 82 | packet. Zero tunnel / session ids are treated specially - zero ids are |
32 | PPPoL2TP socket, as well as other data that lets the driver interface | 83 | never assigned to tunnels or sessions in the network. In the driver, |
33 | to the kernel PPP subsystem. | 84 | the tunnel context keeps a reference to the tunnel UDP or L2TPIP |
34 | 85 | socket. The session context holds data that lets the driver interface | |
35 | Note that the pppol2tp kernel driver handles only L2TP data frames; | 86 | to the kernel's network frame type subsystems, i.e. PPP, ethernet. |
36 | L2TP control frames are simply passed up to userspace in the UDP | 87 | |
37 | tunnel socket. The kernel handles all datapath aspects of the | 88 | Userspace Programming |
38 | protocol, including data packet resequencing (if enabled). | 89 | ===================== |
39 | 90 | ||
40 | There are a number of requirements on the userspace L2TP daemon in | 91 | For L2TPv2, there are a number of requirements on the userspace L2TP |
41 | order to use the pppol2tp driver. | 92 | daemon in order to use the pppol2tp driver. |
42 | 93 | ||
43 | 1. Use a UDP socket per tunnel. | 94 | 1. Use a UDP socket per tunnel. |
44 | 95 | ||
@@ -86,6 +137,35 @@ In addition to the standard PPP ioctls, a PPPIOCGL2TPSTATS is provided | |||
86 | to retrieve tunnel and session statistics from the kernel using the | 137 | to retrieve tunnel and session statistics from the kernel using the |
87 | PPPoX socket of the appropriate tunnel or session. | 138 | PPPoX socket of the appropriate tunnel or session. |
88 | 139 | ||
140 | For L2TPv3, userspace must use the netlink API defined in | ||
141 | include/linux/l2tp.h to manage tunnel and session contexts. The | ||
142 | general procedure to create a new L2TP tunnel with one session is:- | ||
143 | |||
144 | 1. Open a GENL socket using L2TP_GENL_NAME for configuring the kernel | ||
145 | using netlink. | ||
146 | |||
147 | 2. Create a UDP or L2TPIP socket for the tunnel. | ||
148 | |||
149 | 3. Create a new L2TP tunnel using a L2TP_CMD_TUNNEL_CREATE | ||
150 | request. Set attributes according to desired tunnel parameters, | ||
151 | referencing the UDP or L2TPIP socket created in the previous step. | ||
152 | |||
153 | 4. Create a new L2TP session in the tunnel using a | ||
154 | L2TP_CMD_SESSION_CREATE request. | ||
155 | |||
156 | The tunnel and all of its sessions are closed when the tunnel socket | ||
157 | is closed. The netlink API may also be used to delete sessions and | ||
158 | tunnels. Configuration and status info may be set or read using netlink. | ||
159 | |||
160 | The L2TP driver also supports static (unmanaged) L2TPv3 tunnels. These | ||
161 | are where there is no L2TP control message exchange with the peer to | ||
162 | setup the tunnel; the tunnel is configured manually at each end of the | ||
163 | tunnel. There is no need for an L2TP userspace application in this | ||
164 | case -- the tunnel socket is created by the kernel and configured | ||
165 | using parameters sent in the L2TP_CMD_TUNNEL_CREATE netlink | ||
166 | request. The "ip" utility of iproute2 has commands for managing static | ||
167 | L2TPv3 tunnels; do "ip l2tp help" for more information. | ||
168 | |||
89 | Debugging | 169 | Debugging |
90 | ========= | 170 | ========= |
91 | 171 | ||
@@ -102,6 +182,69 @@ PPPOL2TP_MSG_CONTROL userspace - kernel interface | |||
102 | PPPOL2TP_MSG_SEQ sequence numbers handling | 182 | PPPOL2TP_MSG_SEQ sequence numbers handling |
103 | PPPOL2TP_MSG_DATA data packets | 183 | PPPOL2TP_MSG_DATA data packets |
104 | 184 | ||
185 | If enabled, files under a l2tp debugfs directory can be used to dump | ||
186 | kernel state about L2TP tunnels and sessions. To access it, the | ||
187 | debugfs filesystem must first be mounted. | ||
188 | |||
189 | # mount -t debugfs debugfs /debug | ||
190 | |||
191 | Files under the l2tp directory can then be accessed. | ||
192 | |||
193 | # cat /debug/l2tp/tunnels | ||
194 | |||
195 | The debugfs files should not be used by applications to obtain L2TP | ||
196 | state information because the file format is subject to change. It is | ||
197 | implemented to provide extra debug information to help diagnose | ||
198 | problems.) Users should use the netlink API. | ||
199 | |||
200 | /proc/net/pppol2tp is also provided for backwards compaibility with | ||
201 | the original pppol2tp driver. It lists information about L2TPv2 | ||
202 | tunnels and sessions only. Its use is discouraged. | ||
203 | |||
204 | Unmanaged L2TPv3 Tunnels | ||
205 | ======================== | ||
206 | |||
207 | Some commercial L2TP products support unmanaged L2TPv3 ethernet | ||
208 | tunnels, where there is no L2TP control protocol; tunnels are | ||
209 | configured at each side manually. New commands are available in | ||
210 | iproute2's ip utility to support this. | ||
211 | |||
212 | To create an L2TPv3 ethernet pseudowire between local host 192.168.1.1 | ||
213 | and peer 192.168.1.2, using IP addresses 10.5.1.1 and 10.5.1.2 for the | ||
214 | tunnel endpoints:- | ||
215 | |||
216 | # modprobe l2tp_eth | ||
217 | # modprobe l2tp_netlink | ||
218 | |||
219 | # ip l2tp add tunnel tunnel_id 1 peer_tunnel_id 1 udp_sport 5000 \ | ||
220 | udp_dport 5000 encap udp local 192.168.1.1 remote 192.168.1.2 | ||
221 | # ip l2tp add session tunnel_id 1 session_id 1 peer_session_id 1 | ||
222 | # ifconfig -a | ||
223 | # ip addr add 10.5.1.2/32 peer 10.5.1.1/32 dev l2tpeth0 | ||
224 | # ifconfig l2tpeth0 up | ||
225 | |||
226 | Choose IP addresses to be the address of a local IP interface and that | ||
227 | of the remote system. The IP addresses of the l2tpeth0 interface can be | ||
228 | anything suitable. | ||
229 | |||
230 | Repeat the above at the peer, with ports, tunnel/session ids and IP | ||
231 | addresses reversed. The tunnel and session IDs can be any non-zero | ||
232 | 32-bit number, but the values must be reversed at the peer. | ||
233 | |||
234 | Host 1 Host2 | ||
235 | udp_sport=5000 udp_sport=5001 | ||
236 | udp_dport=5001 udp_dport=5000 | ||
237 | tunnel_id=42 tunnel_id=45 | ||
238 | peer_tunnel_id=45 peer_tunnel_id=42 | ||
239 | session_id=128 session_id=5196755 | ||
240 | peer_session_id=5196755 peer_session_id=128 | ||
241 | |||
242 | When done at both ends of the tunnel, it should be possible to send | ||
243 | data over the network. e.g. | ||
244 | |||
245 | # ping 10.5.1.1 | ||
246 | |||
247 | |||
105 | Sample Userspace Code | 248 | Sample Userspace Code |
106 | ===================== | 249 | ===================== |
107 | 250 | ||
@@ -158,12 +301,48 @@ Sample Userspace Code | |||
158 | } | 301 | } |
159 | return 0; | 302 | return 0; |
160 | 303 | ||
304 | Internal Implementation | ||
305 | ======================= | ||
306 | |||
307 | The driver keeps a struct l2tp_tunnel context per L2TP tunnel and a | ||
308 | struct l2tp_session context for each session. The l2tp_tunnel is | ||
309 | always associated with a UDP or L2TP/IP socket and keeps a list of | ||
310 | sessions in the tunnel. The l2tp_session context keeps kernel state | ||
311 | about the session. It has private data which is used for data specific | ||
312 | to the session type. With L2TPv2, the session always carried PPP | ||
313 | traffic. With L2TPv3, the session can also carry ethernet frames | ||
314 | (ethernet pseudowire) or other data types such as ATM, HDLC or Frame | ||
315 | Relay. | ||
316 | |||
317 | When a tunnel is first opened, the reference count on the socket is | ||
318 | increased using sock_hold(). This ensures that the kernel socket | ||
319 | cannot be removed while L2TP's data structures reference it. | ||
320 | |||
321 | Some L2TP sessions also have a socket (PPP pseudowires) while others | ||
322 | do not (ethernet pseudowires). We can't use the socket reference count | ||
323 | as the reference count for session contexts. The L2TP implementation | ||
324 | therefore has its own internal reference counts on the session | ||
325 | contexts. | ||
326 | |||
327 | To Do | ||
328 | ===== | ||
329 | |||
330 | Add L2TP tunnel switching support. This would route tunneled traffic | ||
331 | from one L2TP tunnel into another. Specified in | ||
332 | http://tools.ietf.org/html/draft-ietf-l2tpext-tunnel-switching-08 | ||
333 | |||
334 | Add L2TPv3 VLAN pseudowire support. | ||
335 | |||
336 | Add L2TPv3 IP pseudowire support. | ||
337 | |||
338 | Add L2TPv3 ATM pseudowire support. | ||
339 | |||
161 | Miscellaneous | 340 | Miscellaneous |
162 | ============ | 341 | ============= |
163 | 342 | ||
164 | The PPPoL2TP driver was developed as part of the OpenL2TP project by | 343 | The L2TP drivers were developed as part of the OpenL2TP project by |
165 | Katalix Systems Ltd. OpenL2TP is a full-featured L2TP client / server, | 344 | Katalix Systems Ltd. OpenL2TP is a full-featured L2TP client / server, |
166 | designed from the ground up to have the L2TP datapath in the | 345 | designed from the ground up to have the L2TP datapath in the |
167 | kernel. The project also implemented the pppol2tp plugin for pppd | 346 | kernel. The project also implemented the pppol2tp plugin for pppd |
168 | which allows pppd to use the kernel driver. Details can be found at | 347 | which allows pppd to use the kernel driver. Details can be found at |
169 | http://openl2tp.sourceforge.net. | 348 | http://www.openl2tp.org. |