l2tp.rst 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786
  1. .. SPDX-License-Identifier: GPL-2.0
  2. ====
  3. L2TP
  4. ====
  5. Layer 2 Tunneling Protocol (L2TP) allows L2 frames to be tunneled over
  6. an IP network.
  7. This document covers the kernel's L2TP subsystem. It documents kernel
  8. APIs for application developers who want to use the L2TP subsystem and
  9. it provides some technical details about the internal implementation
  10. which may be useful to kernel developers and maintainers.
  11. Overview
  12. ========
  13. The kernel's L2TP subsystem implements the datapath for L2TPv2 and
  14. L2TPv3. L2TPv2 is carried over UDP. L2TPv3 is carried over UDP or
  15. directly over IP (protocol 115).
  16. The L2TP RFCs define two basic kinds of L2TP packets: control packets
  17. (the "control plane"), and data packets (the "data plane"). The kernel
  18. deals only with data packets. The more complex control packets are
  19. handled by user space.
  20. An L2TP tunnel carries one or more L2TP sessions. Each tunnel is
  21. associated with a socket. Each session is associated with a virtual
  22. netdevice, e.g. ``pppN``, ``l2tpethN``, through which data frames pass
  23. to/from L2TP. Fields in the L2TP header identify the tunnel or session
  24. and whether it is a control or data packet. When tunnels and sessions
  25. are set up using the Linux kernel API, we're just setting up the L2TP
  26. data path. All aspects of the control protocol are to be handled by
  27. user space.
  28. This split in responsibilities leads to a natural sequence of
  29. operations when establishing tunnels and sessions. The procedure looks
  30. like this:
  31. 1) Create a tunnel socket. Exchange L2TP control protocol messages
  32. with the peer over that socket in order to establish a tunnel.
  33. 2) Create a tunnel context in the kernel, using information
  34. obtained from the peer using the control protocol messages.
  35. 3) Exchange L2TP control protocol messages with the peer over the
  36. tunnel socket in order to establish a session.
  37. 4) Create a session context in the kernel using information
  38. obtained from the peer using the control protocol messages.
  39. L2TP APIs
  40. =========
  41. This section documents each userspace API of the L2TP subsystem.
  42. Tunnel Sockets
  43. --------------
  44. L2TPv2 always uses UDP. L2TPv3 may use UDP or IP encapsulation.
  45. To create a tunnel socket for use by L2TP, the standard POSIX
  46. socket API is used.
  47. For example, for a tunnel using IPv4 addresses and UDP encapsulation::
  48. int sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
  49. Or for a tunnel using IPv6 addresses and IP encapsulation::
  50. int sockfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);
  51. UDP socket programming doesn't need to be covered here.
  52. IPPROTO_L2TP is an IP protocol type implemented by the kernel's L2TP
  53. subsystem. The L2TPIP socket address is defined in struct
  54. sockaddr_l2tpip and struct sockaddr_l2tpip6 at
  55. `include/uapi/linux/l2tp.h`_. The address includes the L2TP tunnel
  56. (connection) id. To use L2TP IP encapsulation, an L2TPv3 application
  57. should bind the L2TPIP socket using the locally assigned
  58. tunnel id. When the peer's tunnel id and IP address is known, a
  59. connect must be done.
  60. If the L2TP application needs to handle L2TPv3 tunnel setup requests
  61. from peers using L2TPIP, it must open a dedicated L2TPIP
  62. socket to listen for those requests and bind the socket using tunnel
  63. id 0 since tunnel setup requests are addressed to tunnel id 0.
  64. An L2TP tunnel and all of its sessions are automatically closed when
  65. its tunnel socket is closed.
  66. Netlink API
  67. -----------
  68. L2TP applications use netlink to manage L2TP tunnel and session
  69. instances in the kernel. The L2TP netlink API is defined in
  70. `include/uapi/linux/l2tp.h`_.
  71. L2TP uses `Generic Netlink`_ (GENL). Several commands are defined:
  72. Create, Delete, Modify and Get for tunnel and session
  73. instances, e.g. ``L2TP_CMD_TUNNEL_CREATE``. The API header lists the
  74. netlink attribute types that can be used with each command.
  75. Tunnel and session instances are identified by a locally unique
  76. 32-bit id. L2TP tunnel ids are given by ``L2TP_ATTR_CONN_ID`` and
  77. ``L2TP_ATTR_PEER_CONN_ID`` attributes and L2TP session ids are given
  78. by ``L2TP_ATTR_SESSION_ID`` and ``L2TP_ATTR_PEER_SESSION_ID``
  79. attributes. If netlink is used to manage L2TPv2 tunnel and session
  80. instances, the L2TPv2 16-bit tunnel/session id is cast to a 32-bit
  81. value in these attributes.
  82. In the ``L2TP_CMD_TUNNEL_CREATE`` command, ``L2TP_ATTR_FD`` tells the
  83. kernel the tunnel socket fd being used. If not specified, the kernel
  84. creates a kernel socket for the tunnel, using IP parameters set in
  85. ``L2TP_ATTR_IP[6]_SADDR``, ``L2TP_ATTR_IP[6]_DADDR``,
  86. ``L2TP_ATTR_UDP_SPORT``, ``L2TP_ATTR_UDP_DPORT`` attributes. Kernel
  87. sockets are used to implement unmanaged L2TPv3 tunnels (iproute2's "ip
  88. l2tp" commands). If ``L2TP_ATTR_FD`` is given, it must be a socket fd
  89. that is already bound and connected. There is more information about
  90. unmanaged tunnels later in this document.
  91. ``L2TP_CMD_TUNNEL_CREATE`` attributes:-
  92. ================== ======== ===
  93. Attribute Required Use
  94. ================== ======== ===
  95. CONN_ID Y Sets the tunnel (connection) id.
  96. PEER_CONN_ID Y Sets the peer tunnel (connection) id.
  97. PROTO_VERSION Y Protocol version. 2 or 3.
  98. ENCAP_TYPE Y Encapsulation type: UDP or IP.
  99. FD N Tunnel socket file descriptor.
  100. UDP_CSUM N Enable IPv4 UDP checksums. Used only if FD is
  101. not set.
  102. UDP_ZERO_CSUM6_TX N Zero IPv6 UDP checksum on transmit. Used only
  103. if FD is not set.
  104. UDP_ZERO_CSUM6_RX N Zero IPv6 UDP checksum on receive. Used only if
  105. FD is not set.
  106. IP_SADDR N IPv4 source address. Used only if FD is not
  107. set.
  108. IP_DADDR N IPv4 destination address. Used only if FD is
  109. not set.
  110. UDP_SPORT N UDP source port. Used only if FD is not set.
  111. UDP_DPORT N UDP destination port. Used only if FD is not
  112. set.
  113. IP6_SADDR N IPv6 source address. Used only if FD is not
  114. set.
  115. IP6_DADDR N IPv6 destination address. Used only if FD is
  116. not set.
  117. DEBUG N Debug flags.
  118. ================== ======== ===
  119. ``L2TP_CMD_TUNNEL_DESTROY`` attributes:-
  120. ================== ======== ===
  121. Attribute Required Use
  122. ================== ======== ===
  123. CONN_ID Y Identifies the tunnel id to be destroyed.
  124. ================== ======== ===
  125. ``L2TP_CMD_TUNNEL_MODIFY`` attributes:-
  126. ================== ======== ===
  127. Attribute Required Use
  128. ================== ======== ===
  129. CONN_ID Y Identifies the tunnel id to be modified.
  130. DEBUG N Debug flags.
  131. ================== ======== ===
  132. ``L2TP_CMD_TUNNEL_GET`` attributes:-
  133. ================== ======== ===
  134. Attribute Required Use
  135. ================== ======== ===
  136. CONN_ID N Identifies the tunnel id to be queried.
  137. Ignored in DUMP requests.
  138. ================== ======== ===
  139. ``L2TP_CMD_SESSION_CREATE`` attributes:-
  140. ================== ======== ===
  141. Attribute Required Use
  142. ================== ======== ===
  143. CONN_ID Y The parent tunnel id.
  144. SESSION_ID Y Sets the session id.
  145. PEER_SESSION_ID Y Sets the parent session id.
  146. PW_TYPE Y Sets the pseudowire type.
  147. DEBUG N Debug flags.
  148. RECV_SEQ N Enable rx data sequence numbers.
  149. SEND_SEQ N Enable tx data sequence numbers.
  150. LNS_MODE N Enable LNS mode (auto-enable data sequence
  151. numbers).
  152. RECV_TIMEOUT N Timeout to wait when reordering received
  153. packets.
  154. L2SPEC_TYPE N Sets layer2-specific-sublayer type (L2TPv3
  155. only).
  156. COOKIE N Sets optional cookie (L2TPv3 only).
  157. PEER_COOKIE N Sets optional peer cookie (L2TPv3 only).
  158. IFNAME N Sets interface name (L2TPv3 only).
  159. ================== ======== ===
  160. For Ethernet session types, this will create an l2tpeth virtual
  161. interface which can then be configured as required. For PPP session
  162. types, a PPPoL2TP socket must also be opened and connected, mapping it
  163. onto the new session. This is covered in "PPPoL2TP Sockets" later.
  164. ``L2TP_CMD_SESSION_DESTROY`` attributes:-
  165. ================== ======== ===
  166. Attribute Required Use
  167. ================== ======== ===
  168. CONN_ID Y Identifies the parent tunnel id of the session
  169. to be destroyed.
  170. SESSION_ID Y Identifies the session id to be destroyed.
  171. IFNAME N Identifies the session by interface name. If
  172. set, this overrides any CONN_ID and SESSION_ID
  173. attributes. Currently supported for L2TPv3
  174. Ethernet sessions only.
  175. ================== ======== ===
  176. ``L2TP_CMD_SESSION_MODIFY`` attributes:-
  177. ================== ======== ===
  178. Attribute Required Use
  179. ================== ======== ===
  180. CONN_ID Y Identifies the parent tunnel id of the session
  181. to be modified.
  182. SESSION_ID Y Identifies the session id to be modified.
  183. IFNAME N Identifies the session by interface name. If
  184. set, this overrides any CONN_ID and SESSION_ID
  185. attributes. Currently supported for L2TPv3
  186. Ethernet sessions only.
  187. DEBUG N Debug flags.
  188. RECV_SEQ N Enable rx data sequence numbers.
  189. SEND_SEQ N Enable tx data sequence numbers.
  190. LNS_MODE N Enable LNS mode (auto-enable data sequence
  191. numbers).
  192. RECV_TIMEOUT N Timeout to wait when reordering received
  193. packets.
  194. ================== ======== ===
  195. ``L2TP_CMD_SESSION_GET`` attributes:-
  196. ================== ======== ===
  197. Attribute Required Use
  198. ================== ======== ===
  199. CONN_ID N Identifies the tunnel id to be queried.
  200. Ignored for DUMP requests.
  201. SESSION_ID N Identifies the session id to be queried.
  202. Ignored for DUMP requests.
  203. IFNAME N Identifies the session by interface name.
  204. If set, this overrides any CONN_ID and
  205. SESSION_ID attributes. Ignored for DUMP
  206. requests. Currently supported for L2TPv3
  207. Ethernet sessions only.
  208. ================== ======== ===
  209. Application developers should refer to `include/uapi/linux/l2tp.h`_ for
  210. netlink command and attribute definitions.
  211. Sample userspace code using libmnl_:
  212. - Open L2TP netlink socket::
  213. struct nl_sock *nl_sock;
  214. int l2tp_nl_family_id;
  215. nl_sock = nl_socket_alloc();
  216. genl_connect(nl_sock);
  217. genl_id = genl_ctrl_resolve(nl_sock, L2TP_GENL_NAME);
  218. - Create a tunnel::
  219. struct nlmsghdr *nlh;
  220. struct genlmsghdr *gnlh;
  221. nlh = mnl_nlmsg_put_header(buf);
  222. nlh->nlmsg_type = genl_id; /* assigned to genl socket */
  223. nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  224. nlh->nlmsg_seq = seq;
  225. gnlh = mnl_nlmsg_put_extra_header(nlh, sizeof(*gnlh));
  226. gnlh->cmd = L2TP_CMD_TUNNEL_CREATE;
  227. gnlh->version = L2TP_GENL_VERSION;
  228. gnlh->reserved = 0;
  229. mnl_attr_put_u32(nlh, L2TP_ATTR_FD, tunl_sock_fd);
  230. mnl_attr_put_u32(nlh, L2TP_ATTR_CONN_ID, tid);
  231. mnl_attr_put_u32(nlh, L2TP_ATTR_PEER_CONN_ID, peer_tid);
  232. mnl_attr_put_u8(nlh, L2TP_ATTR_PROTO_VERSION, protocol_version);
  233. mnl_attr_put_u16(nlh, L2TP_ATTR_ENCAP_TYPE, encap);
  234. - Create a session::
  235. struct nlmsghdr *nlh;
  236. struct genlmsghdr *gnlh;
  237. nlh = mnl_nlmsg_put_header(buf);
  238. nlh->nlmsg_type = genl_id; /* assigned to genl socket */
  239. nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  240. nlh->nlmsg_seq = seq;
  241. gnlh = mnl_nlmsg_put_extra_header(nlh, sizeof(*gnlh));
  242. gnlh->cmd = L2TP_CMD_SESSION_CREATE;
  243. gnlh->version = L2TP_GENL_VERSION;
  244. gnlh->reserved = 0;
  245. mnl_attr_put_u32(nlh, L2TP_ATTR_CONN_ID, tid);
  246. mnl_attr_put_u32(nlh, L2TP_ATTR_PEER_CONN_ID, peer_tid);
  247. mnl_attr_put_u32(nlh, L2TP_ATTR_SESSION_ID, sid);
  248. mnl_attr_put_u32(nlh, L2TP_ATTR_PEER_SESSION_ID, peer_sid);
  249. mnl_attr_put_u16(nlh, L2TP_ATTR_PW_TYPE, pwtype);
  250. /* there are other session options which can be set using netlink
  251. * attributes during session creation -- see l2tp.h
  252. */
  253. - Delete a session::
  254. struct nlmsghdr *nlh;
  255. struct genlmsghdr *gnlh;
  256. nlh = mnl_nlmsg_put_header(buf);
  257. nlh->nlmsg_type = genl_id; /* assigned to genl socket */
  258. nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  259. nlh->nlmsg_seq = seq;
  260. gnlh = mnl_nlmsg_put_extra_header(nlh, sizeof(*gnlh));
  261. gnlh->cmd = L2TP_CMD_SESSION_DELETE;
  262. gnlh->version = L2TP_GENL_VERSION;
  263. gnlh->reserved = 0;
  264. mnl_attr_put_u32(nlh, L2TP_ATTR_CONN_ID, tid);
  265. mnl_attr_put_u32(nlh, L2TP_ATTR_SESSION_ID, sid);
  266. - Delete a tunnel and all of its sessions (if any)::
  267. struct nlmsghdr *nlh;
  268. struct genlmsghdr *gnlh;
  269. nlh = mnl_nlmsg_put_header(buf);
  270. nlh->nlmsg_type = genl_id; /* assigned to genl socket */
  271. nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  272. nlh->nlmsg_seq = seq;
  273. gnlh = mnl_nlmsg_put_extra_header(nlh, sizeof(*gnlh));
  274. gnlh->cmd = L2TP_CMD_TUNNEL_DELETE;
  275. gnlh->version = L2TP_GENL_VERSION;
  276. gnlh->reserved = 0;
  277. mnl_attr_put_u32(nlh, L2TP_ATTR_CONN_ID, tid);
  278. PPPoL2TP Session Socket API
  279. ---------------------------
  280. For PPP session types, a PPPoL2TP socket must be opened and connected
  281. to the L2TP session.
  282. When creating PPPoL2TP sockets, the application provides information
  283. to the kernel about the tunnel and session in a socket connect()
  284. call. Source and destination tunnel and session ids are provided, as
  285. well as the file descriptor of a UDP or L2TPIP socket. See struct
  286. pppol2tp_addr in `include/linux/if_pppol2tp.h`_. For historical reasons,
  287. there are unfortunately slightly different address structures for
  288. L2TPv2/L2TPv3 IPv4/IPv6 tunnels and userspace must use the appropriate
  289. structure that matches the tunnel socket type.
  290. Userspace may control behavior of the tunnel or session using
  291. setsockopt and ioctl on the PPPoX socket. The following socket
  292. options are supported:-
  293. ========= ===========================================================
  294. DEBUG bitmask of debug message categories. See below.
  295. SENDSEQ - 0 => don't send packets with sequence numbers
  296. - 1 => send packets with sequence numbers
  297. RECVSEQ - 0 => receive packet sequence numbers are optional
  298. - 1 => drop receive packets without sequence numbers
  299. LNSMODE - 0 => act as LAC.
  300. - 1 => act as LNS.
  301. REORDERTO reorder timeout (in millisecs). If 0, don't try to reorder.
  302. ========= ===========================================================
  303. In addition to the standard PPP ioctls, a PPPIOCGL2TPSTATS is provided
  304. to retrieve tunnel and session statistics from the kernel using the
  305. PPPoX socket of the appropriate tunnel or session.
  306. Sample userspace code:
  307. - Create session PPPoX data socket::
  308. /* Input: the L2TP tunnel UDP socket `tunnel_fd`, which needs to be
  309. * bound already (both sockname and peername), otherwise it will not be
  310. * ready.
  311. */
  312. struct sockaddr_pppol2tp sax;
  313. int session_fd;
  314. int ret;
  315. session_fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
  316. if (session_fd < 0)
  317. return -errno;
  318. sax.sa_family = AF_PPPOX;
  319. sax.sa_protocol = PX_PROTO_OL2TP;
  320. sax.pppol2tp.fd = tunnel_fd;
  321. sax.pppol2tp.addr.sin_addr.s_addr = addr->sin_addr.s_addr;
  322. sax.pppol2tp.addr.sin_port = addr->sin_port;
  323. sax.pppol2tp.addr.sin_family = AF_INET;
  324. sax.pppol2tp.s_tunnel = tunnel_id;
  325. sax.pppol2tp.s_session = session_id;
  326. sax.pppol2tp.d_tunnel = peer_tunnel_id;
  327. sax.pppol2tp.d_session = peer_session_id;
  328. /* session_fd is the fd of the session's PPPoL2TP socket.
  329. * tunnel_fd is the fd of the tunnel UDP / L2TPIP socket.
  330. */
  331. ret = connect(session_fd, (struct sockaddr *)&sax, sizeof(sax));
  332. if (ret < 0 ) {
  333. close(session_fd);
  334. return -errno;
  335. }
  336. return session_fd;
  337. L2TP control packets will still be available for read on `tunnel_fd`.
  338. - Create PPP channel::
  339. /* Input: the session PPPoX data socket `session_fd` which was created
  340. * as described above.
  341. */
  342. int ppp_chan_fd;
  343. int chindx;
  344. int ret;
  345. ret = ioctl(session_fd, PPPIOCGCHAN, &chindx);
  346. if (ret < 0)
  347. return -errno;
  348. ppp_chan_fd = open("/dev/ppp", O_RDWR);
  349. if (ppp_chan_fd < 0)
  350. return -errno;
  351. ret = ioctl(ppp_chan_fd, PPPIOCATTCHAN, &chindx);
  352. if (ret < 0) {
  353. close(ppp_chan_fd);
  354. return -errno;
  355. }
  356. return ppp_chan_fd;
  357. LCP PPP frames will be available for read on `ppp_chan_fd`.
  358. - Create PPP interface::
  359. /* Input: the PPP channel `ppp_chan_fd` which was created as described
  360. * above.
  361. */
  362. int ifunit = -1;
  363. int ppp_if_fd;
  364. int ret;
  365. ppp_if_fd = open("/dev/ppp", O_RDWR);
  366. if (ppp_if_fd < 0)
  367. return -errno;
  368. ret = ioctl(ppp_if_fd, PPPIOCNEWUNIT, &ifunit);
  369. if (ret < 0) {
  370. close(ppp_if_fd);
  371. return -errno;
  372. }
  373. ret = ioctl(ppp_chan_fd, PPPIOCCONNECT, &ifunit);
  374. if (ret < 0) {
  375. close(ppp_if_fd);
  376. return -errno;
  377. }
  378. return ppp_if_fd;
  379. IPCP/IPv6CP PPP frames will be available for read on `ppp_if_fd`.
  380. The ppp<ifunit> interface can then be configured as usual with netlink's
  381. RTM_NEWLINK, RTM_NEWADDR, RTM_NEWROUTE, or ioctl's SIOCSIFMTU, SIOCSIFADDR,
  382. SIOCSIFDSTADDR, SIOCSIFNETMASK, SIOCSIFFLAGS, or with the `ip` command.
  383. - Bridging L2TP sessions which have PPP pseudowire types (this is also called
  384. L2TP tunnel switching or L2TP multihop) is supported by bridging the PPP
  385. channels of the two L2TP sessions to be bridged::
  386. /* Input: the session PPPoX data sockets `session_fd1` and `session_fd2`
  387. * which were created as described further above.
  388. */
  389. int ppp_chan_fd;
  390. int chindx1;
  391. int chindx2;
  392. int ret;
  393. ret = ioctl(session_fd1, PPPIOCGCHAN, &chindx1);
  394. if (ret < 0)
  395. return -errno;
  396. ret = ioctl(session_fd2, PPPIOCGCHAN, &chindx2);
  397. if (ret < 0)
  398. return -errno;
  399. ppp_chan_fd = open("/dev/ppp", O_RDWR);
  400. if (ppp_chan_fd < 0)
  401. return -errno;
  402. ret = ioctl(ppp_chan_fd, PPPIOCATTCHAN, &chindx1);
  403. if (ret < 0) {
  404. close(ppp_chan_fd);
  405. return -errno;
  406. }
  407. ret = ioctl(ppp_chan_fd, PPPIOCBRIDGECHAN, &chindx2);
  408. close(ppp_chan_fd);
  409. if (ret < 0)
  410. return -errno;
  411. return 0;
  412. It can be noted that when bridging PPP channels, the PPP session is not locally
  413. terminated, and no local PPP interface is created. PPP frames arriving on one
  414. channel are directly passed to the other channel, and vice versa.
  415. The PPP channel does not need to be kept open. Only the session PPPoX data
  416. sockets need to be kept open.
  417. More generally, it is also possible in the same way to e.g. bridge a PPPoL2TP
  418. PPP channel with other types of PPP channels, such as PPPoE.
  419. See more details for the PPP side in ppp_generic.rst.
  420. Old L2TPv2-only API
  421. -------------------
  422. When L2TP was first added to the Linux kernel in 2.6.23, it
  423. implemented only L2TPv2 and did not include a netlink API. Instead,
  424. tunnel and session instances in the kernel were managed directly using
  425. only PPPoL2TP sockets. The PPPoL2TP socket is used as described in
  426. section "PPPoL2TP Session Socket API" but tunnel and session instances
  427. are automatically created on a connect() of the socket instead of
  428. being created by a separate netlink request:
  429. - Tunnels are managed using a tunnel management socket which is a
  430. dedicated PPPoL2TP socket, connected to (invalid) session
  431. id 0. The L2TP tunnel instance is created when the PPPoL2TP
  432. tunnel management socket is connected and is destroyed when the
  433. socket is closed.
  434. - Session instances are created in the kernel when a PPPoL2TP
  435. socket is connected to a non-zero session id. Session parameters
  436. are set using setsockopt. The L2TP session instance is destroyed
  437. when the socket is closed.
  438. This API is still supported but its use is discouraged. Instead, new
  439. L2TPv2 applications should use netlink to first create the tunnel and
  440. session, then create a PPPoL2TP socket for the session.
  441. Unmanaged L2TPv3 tunnels
  442. ------------------------
  443. The kernel L2TP subsystem also supports static (unmanaged) L2TPv3
  444. tunnels. Unmanaged tunnels have no userspace tunnel socket, and
  445. exchange no control messages with the peer to set up the tunnel; the
  446. tunnel is configured manually at each end of the tunnel. All
  447. configuration is done using netlink. There is no need for an L2TP
  448. userspace application in this case -- the tunnel socket is created by
  449. the kernel and configured using parameters sent in the
  450. ``L2TP_CMD_TUNNEL_CREATE`` netlink request. The ``ip`` utility of
  451. ``iproute2`` has commands for managing static L2TPv3 tunnels; do ``ip
  452. l2tp help`` for more information.
  453. Debugging
  454. ---------
  455. The L2TP subsystem offers a range of debugging interfaces through the
  456. debugfs filesystem.
  457. To access these interfaces, the debugfs filesystem must first be mounted::
  458. # mount -t debugfs debugfs /debug
  459. Files under the l2tp directory can then be accessed, providing a summary
  460. of the current population of tunnel and session contexts existing in the
  461. kernel::
  462. # cat /debug/l2tp/tunnels
  463. The debugfs files should not be used by applications to obtain L2TP
  464. state information because the file format is subject to change. It is
  465. implemented to provide extra debug information to help diagnose
  466. problems. Applications should instead use the netlink API.
  467. In addition the L2TP subsystem implements tracepoints using the standard
  468. kernel event tracing API. The available L2TP events can be reviewed as
  469. follows::
  470. # find /debug/tracing/events/l2tp
  471. Finally, /proc/net/pppol2tp is also provided for backwards compatibility
  472. with the original pppol2tp code. It lists information about L2TPv2
  473. tunnels and sessions only. Its use is discouraged.
  474. Internal Implementation
  475. =======================
  476. This section is for kernel developers and maintainers.
  477. Sockets
  478. -------
  479. UDP sockets are implemented by the networking core. When an L2TP
  480. tunnel is created using a UDP socket, the socket is set up as an
  481. encapsulated UDP socket by setting encap_rcv and encap_destroy
  482. callbacks on the UDP socket. l2tp_udp_encap_recv is called when
  483. packets are received on the socket. l2tp_udp_encap_destroy is called
  484. when userspace closes the socket.
  485. L2TPIP sockets are implemented in `net/l2tp/l2tp_ip.c`_ and
  486. `net/l2tp/l2tp_ip6.c`_.
  487. Tunnels
  488. -------
  489. The kernel keeps a struct l2tp_tunnel context per L2TP tunnel. The
  490. l2tp_tunnel is always associated with a UDP or L2TP/IP socket and
  491. keeps a list of sessions in the tunnel. When a tunnel is first
  492. registered with L2TP core, the reference count on the socket is
  493. increased. This ensures that the socket cannot be removed while L2TP's
  494. data structures reference it.
  495. Tunnels are identified by a unique tunnel id. The id is 16-bit for
  496. L2TPv2 and 32-bit for L2TPv3. Internally, the id is stored as a 32-bit
  497. value.
  498. Tunnels are kept in a per-net list, indexed by tunnel id. The
  499. tunnel id namespace is shared by L2TPv2 and L2TPv3.
  500. Handling tunnel socket close is perhaps the most tricky part of the
  501. L2TP implementation. If userspace closes a tunnel socket, the L2TP
  502. tunnel and all of its sessions must be closed and destroyed. Since the
  503. tunnel context holds a ref on the tunnel socket, the socket's
  504. sk_destruct won't be called until the tunnel sock_put's its
  505. socket. For UDP sockets, when userspace closes the tunnel socket, the
  506. socket's encap_destroy handler is invoked, which L2TP uses to initiate
  507. its tunnel close actions. For L2TPIP sockets, the socket's close
  508. handler initiates the same tunnel close actions. All sessions are
  509. first closed. Each session drops its tunnel ref. When the tunnel ref
  510. reaches zero, the tunnel drops its socket ref.
  511. Sessions
  512. --------
  513. The kernel keeps a struct l2tp_session context for each session. Each
  514. session has private data which is used for data specific to the
  515. session type. With L2TPv2, the session always carries PPP
  516. traffic. With L2TPv3, the session can carry Ethernet frames (Ethernet
  517. pseudowire) or other data types such as PPP, ATM, HDLC or Frame
  518. Relay. Linux currently implements only Ethernet and PPP session types.
  519. Some L2TP session types also have a socket (PPP pseudowires) while
  520. others do not (Ethernet pseudowires).
  521. Like tunnels, L2TP sessions are identified by a unique
  522. session id. Just as with tunnel ids, the session id is 16-bit for
  523. L2TPv2 and 32-bit for L2TPv3. Internally, the id is stored as a 32-bit
  524. value.
  525. Sessions hold a ref on their parent tunnel to ensure that the tunnel
  526. stays extant while one or more sessions references it.
  527. Sessions are kept in a per-net list. L2TPv2 sessions and L2TPv3
  528. sessions are stored in separate lists. L2TPv2 sessions are keyed
  529. by a 32-bit key made up of the 16-bit tunnel ID and 16-bit
  530. session ID. L2TPv3 sessions are keyed by the 32-bit session ID, since
  531. L2TPv3 session ids are unique across all tunnels.
  532. Although the L2TPv3 RFC specifies that L2TPv3 session ids are not
  533. scoped by the tunnel, the Linux implementation has historically
  534. allowed this. Such session id collisions are supported using a per-net
  535. hash table keyed by sk and session ID. When looking up L2TPv3
  536. sessions, the list entry may link to multiple sessions with that
  537. session ID, in which case the session matching the given sk (tunnel)
  538. is used.
  539. PPP
  540. ---
  541. `net/l2tp/l2tp_ppp.c`_ implements the PPPoL2TP socket family. Each PPP
  542. session has a PPPoL2TP socket.
  543. The PPPoL2TP socket's sk_user_data references the l2tp_session.
  544. Userspace sends and receives PPP packets over L2TP using a PPPoL2TP
  545. socket. Only PPP control frames pass over this socket: PPP data
  546. packets are handled entirely by the kernel, passing between the L2TP
  547. session and its associated ``pppN`` netdev through the PPP channel
  548. interface of the kernel PPP subsystem.
  549. The L2TP PPP implementation handles the closing of a PPPoL2TP socket
  550. by closing its corresponding L2TP session. This is complicated because
  551. it must consider racing with netlink session create/destroy requests
  552. and pppol2tp_connect trying to reconnect with a session that is in the
  553. process of being closed. PPP sessions hold a ref on their associated
  554. socket in order that the socket remains extants while the session
  555. references it.
  556. Ethernet
  557. --------
  558. `net/l2tp/l2tp_eth.c`_ implements L2TPv3 Ethernet pseudowires. It
  559. manages a netdev for each session.
  560. L2TP Ethernet sessions are created and destroyed by netlink request,
  561. or are destroyed when the tunnel is destroyed. Unlike PPP sessions,
  562. Ethernet sessions do not have an associated socket.
  563. Miscellaneous
  564. =============
  565. RFCs
  566. ----
  567. The kernel code implements the datapath features specified in the
  568. following RFCs:
  569. ======= =============== ===================================
  570. RFC2661 L2TPv2 https://tools.ietf.org/html/rfc2661
  571. RFC3931 L2TPv3 https://tools.ietf.org/html/rfc3931
  572. RFC4719 L2TPv3 Ethernet https://tools.ietf.org/html/rfc4719
  573. ======= =============== ===================================
  574. Implementations
  575. ---------------
  576. A number of open source applications use the L2TP kernel subsystem:
  577. ============ ==============================================
  578. iproute2 https://github.com/shemminger/iproute2
  579. go-l2tp https://github.com/katalix/go-l2tp
  580. tunneldigger https://github.com/wlanslovenija/tunneldigger
  581. xl2tpd https://github.com/xelerance/xl2tpd
  582. ============ ==============================================
  583. Limitations
  584. -----------
  585. The current implementation has a number of limitations:
  586. 1) Interfacing with openvswitch is not yet implemented. It may be
  587. useful to map OVS Ethernet and VLAN ports into L2TPv3 tunnels.
  588. 2) VLAN pseudowires are implemented using an ``l2tpethN`` interface
  589. configured with a VLAN sub-interface. Since L2TPv3 VLAN
  590. pseudowires carry one and only one VLAN, it may be better to use
  591. a single netdevice rather than an ``l2tpethN`` and ``l2tpethN``:M
  592. pair per VLAN session. The netlink attribute
  593. ``L2TP_ATTR_VLAN_ID`` was added for this, but it was never
  594. implemented.
  595. Testing
  596. -------
  597. Unmanaged L2TPv3 Ethernet features are tested by the kernel's built-in
  598. selftests. See `tools/testing/selftests/net/l2tp.sh`_.
  599. Another test suite, l2tp-ktest_, covers all
  600. of the L2TP APIs and tunnel/session types. This may be integrated into
  601. the kernel's built-in L2TP selftests in the future.
  602. .. Links
  603. .. _Generic Netlink: generic_netlink.html
  604. .. _libmnl: https://www.netfilter.org/projects/libmnl
  605. .. _include/uapi/linux/l2tp.h: ../../../include/uapi/linux/l2tp.h
  606. .. _include/linux/if_pppol2tp.h: ../../../include/linux/if_pppol2tp.h
  607. .. _net/l2tp/l2tp_ip.c: ../../../net/l2tp/l2tp_ip.c
  608. .. _net/l2tp/l2tp_ip6.c: ../../../net/l2tp/l2tp_ip6.c
  609. .. _net/l2tp/l2tp_ppp.c: ../../../net/l2tp/l2tp_ppp.c
  610. .. _net/l2tp/l2tp_eth.c: ../../../net/l2tp/l2tp_eth.c
  611. .. _tools/testing/selftests/net/l2tp.sh: ../../../tools/testing/selftests/net/l2tp.sh
  612. .. _l2tp-ktest: https://github.com/katalix/l2tp-ktest