A DoS-vulnerability analysis of L2TP-VPN

Author

Kara, Atsushi ; Suzuki, Takahiro ; Takahashi, Kenta ; Yoshikawa, Masayuki

Author_Institution

Dept. of Comput. Sci. & Eng., Aizu Univ., Fukushima, Japan

fYear

2004

fDate

14-16 Sept. 2004

Firstpage

397

Lastpage

402

Abstract

L2TP is an IETF standard-track VPN protocol defined by RFC2661. Because L2TP does not always authenticate the control and data messages, both of the control and data packets of L2TP protocol are vulnerable to attack. This paper identifies two types of attacks that disconnect L2TP tunnels and proposes countermeasures. The first method is to transmit a StopCCN with correct identification to terminate a control connection toward the LNS or LAC. A countermeasure to the StopCCN attack is to use an added function in the L2TPv3. The L2TPv3 incorporates an optional authentication and integrity check for all control messages. In view of the pre-standard status of L2TPv 3, we propose an enhancement of L2TPv2. The second method is to transmit PPP LCP terminate-request with correct identifiers toward the LNS or LAC. In order to prevent the PPP LCP terminate-request attack, we propose a new extensional AVP. Finally a DoS-resistant L2TP architecture is proposed.

Keywords

access protocols; message authentication; virtual private networks; DoS-resistant L2TP architecture; DoS-vulnerability analysis; IETF standard-track VPN protocol; PPP LCP terminate-request; StopCCN attack; attack prevention; integrity check; message authentication; Authentication; Communication system control; Computer crime; Computer science; Los Angeles Council; Network address translation; Protection; Protocols; Tunneling; Virtual private networks;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer and Information Technology, 2004. CIT '04. The Fourth International Conference on

Print_ISBN

0-7695-2216-5

Type

conf

DOI

10.1109/CIT.2004.1357228

Filename

1357228