L2TP Establishment Document Security Level: Internal

Project name Confidentiality level: Normal

BSNL RURAL Wi-Max Project Department: Huawei Wireless CBSS
L2TP VPN with ASN as LAC
Written b !ate
Re"iewe# b !ate
Re"iewe# b !ate
A$$ro"e# b !ate
HUAW%& 'ec(nolo)ies C*+ L'!+
All ri)(ts reser"e#
LAC
2014-06-06 !"#EI $on%i&ential Pa'e1( Total6
L2TP Establishment Document Security Level: Internal
LAC is s(ort ,or L-'P access concentrator+ A LAC is a #e"ice wit( t(e PPP
terminal sstem an# t(e L-'P $rocessin) ca$abilit an# is a #e"ice attac(e#
to t(e switc(in) networ.+ &n a $ac.et switc(e# networ./ a LAC is o,ten a
networ. access ser"er 0NAS1/ $ro"i#in) t(e access ser"ice ,or $ublic
switc(e# tele$(one networ.2inte)rate# ser"ices #i)ital networ. 0PS'N2&S!N1
users+ &n a Worl#wi#e &ntero$erabilit ,or Microwa"e Access 3orum 0WiMA41
networ./ t(e WASN5667 acts as a LAC to $ro"i#e t(e access ser"ice ,or
mobile stations 0MSs1+
LNS
LNS is s(ort ,or L-'P networ. ser"er+ An LNS is a ser"er in t(e PPP terminal
sstem an# is use# to $rocess t(e L-'P $ac.ets+ An LNS is o,ten an e#)e
#e"ice in t(e intranet+
A LAC is locate# between an LNS an# a remote sstem suc( as an MS+ '(e LAC
enca$sulates t(e $ac.ets recei"e# ,rom a remote sstem base# on L-'P an# t(en
sen#s t(em to t(e LNS+ '(e LAC also #eca$sulates t(e $ac.ets recei"e# ,rom t(e
LNS an# t(en sen#s t(em to t(e remote sstem+
'(e ,ollowin) #ia)ram illustrates t(e im$lementation o, t(e L-'P 8PN usin) ASN a
LAC+
9ou can create an L-'P tunnel b usin) t(e ,ollowin) met(o#s:
Creatin) an L-'P tunnel base# on t(e L-'P )rou$ con,i)ure# locall
2014-06-06 !"#EI $on%i&ential Pa'e2( Total6
L2TP Establishment Document Security Level: Internal
W(en t(e L-'P attributes are not con,i)ure# on t(e aut(entication ser"er
but t(e #omain name carrie# in t(e user name matc(es t(e #omain
name con,i)ure# in t(e L-'P )rou$ 0see SET L2TP1/ t(e WASN5667
creates an L-'P tunnel base# on t(e L-'P )rou$ con,i)ure# locall+
The same L2TP index will be defined in the ASN with the information of the
LNS IP. So that whenever an account from that domain will get accepted from
the fixed AAA it will dial to LNS and tr! to ma"e the tunnel.

A,ter t(e tunnel is establis(e#/ t(e WASN5667 sen#s Hello $ac.ets $erio#icall to
c(ec. t(e connecti"it o, t(e tunnel+
BS + ASN-GW networking: '(e %t(ernet con"er)ence sublaer 0%t(-CS1 is
2014-06-06 !"#EI $on%i&ential Pa'e)( Total6
L2TP Establishment Document Security Level: Internal
use# ,or WiMA4 access: t(e WASN5667 PPPo% #eca$sulates t(e $ac.ets to obtain
t(e ori)inal PPP $ac.ets: PPP rela is su$$orte#+ '(e WASN5667/ ser"in) as t(e
LAC/ L-'P enca$sulates t(e PPP $ac.ets an# sets u$ t(e L-'P connection wit( t(e
LNS+
&n t(e abo"e #escribe# met(o# we are usin) two #i,,erent aut(entication:
;+ 3irst aut(entication is just to access t(e wimax networ. in %'H-CS mo#e
so t(at it can not access t(e internet+
-+ secon# le"el aut(entication is re<uire# to )et t(e PPPo% user aut(enticate#
,rom t(e AAA ,or LNS ser"er+
3irst le"el aut(entication is re<uire# because i, we b$ass t(e ,irst le"el
aut(entication/ in t(at case it is a t(reat to t(e networ. as i, allow b$assin) o,
t(e ,irst le"el aut(entication in t(e networ./ a smart user can misuse t(is+
But i, we are usin) t(e ,irst le"el aut(entication t(en no-one can access t(e
networ. in a wron) manner as it nee# to be aut(enticate# b AAA+ So it (i)(l
a#"ise# to use t(e ,irst le"el aut(entication+
Securit relate# cases:

;+ User remo"es t(e secon# user an# just use t(e ,irst user t(en also (e can
not
access t(e internet+
%x$lanation: i, a user remo"es t(e secon# user / t(en t(e onl ,irst le"el
aut(entication will be t(ere an# (e will be just connecte# to t(e wimax
networ. as (e is connecte# to t(e networ. in %'H-CS mo#e+ Moreo"er
t(e ,irst le"el aut(entication is re<uire# to "eri, t(e user in t(e
networ.+

-+ User remo"es t(e ,irst user an# t(en just use t(e secon# user an# tr to
b$ass t(e ,irst le"el aut(entication+

%x$lanation: &, a user tr to b$ass t(e ,irst le"el aut(entication/ t(en t(e user
e"en can not access t(e wimax networ. in an mo#e+ So it can not
$rocee# ,urt(er+
2014-06-06 !"#EI $on%i&ential Pa'e4( Total6
L2TP Establishment Document Security Level: Internal
How t(e !ialin) will be #one=
As soon as t(e P>M user will )et aut(enticate# ,rom Wi-Max AAA/ it will
automaticall #ial t(e PPPo% account w(ic( is alrea# con,i)ure# in t(e CP%
we (a"e )i"en t(e user name as .t-b)l-s#e;?o$eration+in an# $asswor# as
@$asswor#A+ '(is user will )et #iale# a,ter aut(entication ,rom Wi-Max AAA ,or
P>M user+
W(en t(is PPPo% user will )et #iale#/ CP% will )et t(e &P ,rom t(e LNS+ 3or
exam$le it can )e t(e as s(own in t(e below $icture:
2014-06-06 !"#EI $on%i&ential Pa'e*( Total6
L2TP Establishment Document Security Level: Internal
A,ter )ettin) t(e &P ,rom t(e LNS/ t(e user can acess t(e web $ortal be(in# t(e
same BNB+
3or exam$le t(e web $ortal ,or ma.in) t(e user ,or BSNL can be accesse#+

2014-06-06 !"#EI $on%i&ential Pa'e6( Total6