The Layer 2 Forwarding (L2F) protocol is a media-independent technology developed at Cisco Systems. It’s a media-independent tunneling protocol that came to life at the first Virtual Private Networks development stages. It allows VPNs to exist over a public network (such as the Internet) by turning data-link layer packets into web protocols like SLIP (Serial Line Internet Protocol) or PPP (Point-to-Point Protocol).
Servers can use L2F for things such as user authentication through dynamic address allocation, Remote Authentication Dial-In User Service (RADIUS), and Quality of Service (QoS). Cisco’s Internetwork operating system implements L2F in routers as well.
The tunneling approach to creating private networks is independent of the Internet Protocol (IP). Hence, the same technology can create secure tunnels in other network contexts like ATMs or Frame Relay. Want to learn more, let’s dig deeper then.
The L2F protocol: How does it work?
Let’s take the PPP protocol. It connects a dial-up client with the NAS (short form of network access server) when it receives the call using Layer 2 Forwarding (L2F).
Client-triggered PPP connections get terminated at a PPP service vendor’s NAS (Network Access Server) — this is typically an ISP (Internet Service Provider). L2F enables the client to connect beyond the Network Access Server to a remote node. That mechanism allows the client to act as if it was directly connected to that remote node instead of connecting to the NAS.
Within the L2F world, the NAS only has one job: to exchange forward (Point-to-Point Protocol) frames from the client to the distant node. That remote node in Cisco Speak is known as the home gateway.
The critical thing to remember is that Cisco’s L2F protocol can undoubtedly work over the IP protocol, but it doesn’t really need it. It can work along with other protocols as it is. For instance, it often works when used in tandem with VDU (Virtual Dial-Up).
Related read: What is port forwarding.
Authentication types
L2F authenticates remote users using PPP as well as other authentication systems that can include Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS).
- There are several connections in L2F tunneling channels, which is one of the reasons they’re different from PPTP tunneling channels.
- The authentication occurs in two stages. The ISP performs the first one before the tunnel appears. In the second stage, the tunnel comes alive in the corporate gateway upon the connection getting online.
- The SP and the specific corporate company gateway use an agreed-upon authentication process before allowing the tunnel between the remote and local networks to exist.
- The L2 works on the data connection layer (or that’s the word in the OSI reference documentation). It thus enables users like NetBEUI or 1PX instead of IP such as PPTP.
PAP – Password Authentication Protocol
First, the client and the server connect. Then, the client sends a package with the user’s credentials (password and username). Then, the server will grant or refuse a connection request, depending on its ability to authenticate the request, which can be rejected or verified.
CHAP – Challenge Handshake Authentication Protocol
This protocol takes a different approach to the authentication process. Here, the client sends the server an authentication packet regularly. The client and the server exchange these CHAP packets regularly to verify the user’s credentials at both ends. As long as the authentication remains valid, the connection remains online.
Overview of L2F protocol security
The virtual dial-up service initiates. Then, the ISP will pursue authentication. The ISP cares about two things only: the user’s identity and the home gateway they want to reach. So, it tries to discover both things as the call comes in. Once those two bits of information become apparent, they connect to the desired home gateway based on the authentication data gathered. The final touch happens at the home gateway, which accepts or rejects the connection.
The home gateway has an additional job to do. It must protect the connection against third parties (snoopers, hackers, governments) to establish tunnels to the home gateway, intercept the current tunnel, or hijack it.
The tunnel creation needs an authentication process between the ISP and the home gateway. This is the authentication bit that protects the tunnel against malicious attacks. And this is why the L2F is so valuable. It may not be apparent from this description.
Still, the fact is that these authentication processes can become safer if you can take advantage of several protocols concurrently to secure them. L2F gives us that option, and it can work along with many different protocols. Thus, it makes the authentication processes faster and safer. Its integration with them is seamless.
L2F’s pros
- It guarantees transmission security, creating an end-to-end secure tunnel for data encapsulation.
- It can enhance the security of other protocols.
- It supports user authentication for other protocols such as RADIUS, QoS, and Dynamic Address Allocation.
- The L2F tunnels support multiple connections.
L2F’s cons
- Privacy protection in L2F relies on the protocol’s ability to tunnel the information instead of providing encryption.
- The protocol lacks data flow control.
- This protocol doesn’t boast AV (Attribute-value) pair hiding.