Title :
A DoS-vulnerability analysis of L2TP-VPN
Author :
Kara, Atsushi ; Suzuki, Takahiro ; Takahashi, Kenta ; Yoshikawa, Masayuki
Author_Institution :
Dept. of Comput. Sci. & Eng., Aizu Univ., Fukushima, Japan
Abstract :
L2TP is an IETF standard-track VPN protocol defined by RFC2661. Because L2TP does not always authenticate the control and data messages, both of the control and data packets of L2TP protocol are vulnerable to attack. This paper identifies two types of attacks that disconnect L2TP tunnels and proposes countermeasures. The first method is to transmit a StopCCN with correct identification to terminate a control connection toward the LNS or LAC. A countermeasure to the StopCCN attack is to use an added function in the L2TPv3. The L2TPv3 incorporates an optional authentication and integrity check for all control messages. In view of the pre-standard status of L2TPv 3, we propose an enhancement of L2TPv2. The second method is to transmit PPP LCP terminate-request with correct identifiers toward the LNS or LAC. In order to prevent the PPP LCP terminate-request attack, we propose a new extensional AVP. Finally a DoS-resistant L2TP architecture is proposed.
Keywords :
access protocols; message authentication; virtual private networks; DoS-resistant L2TP architecture; DoS-vulnerability analysis; IETF standard-track VPN protocol; PPP LCP terminate-request; StopCCN attack; attack prevention; integrity check; message authentication; Authentication; Communication system control; Computer crime; Computer science; Los Angeles Council; Network address translation; Protection; Protocols; Tunneling; Virtual private networks;
Conference_Titel :
Computer and Information Technology, 2004. CIT '04. The Fourth International Conference on
Print_ISBN :
0-7695-2216-5
DOI :
10.1109/CIT.2004.1357228
