FireBrick - Firewalls, Bonding ADSL, Routers, Traffic Shaping...
FireBrick FB6000
L2TP interface specification
The FireBrick operates as an L2TP/RADIUS LNS supporting incoming connections and termination as well as L2TP relay. Connections are authenticated using RADIUS and provide RADIUS accounting.
L2TP interface
Start-Control-Connection-Request (SCCRQ)
| AVP | Incoming | Outgoing |
|---|---|---|
| Protocol Version | Mandatory, value 1 expected | Value 1 |
| Host Name | Used to select which incoming L2TP configuration applies. | As per config/RADIUS request |
| Framing Capabilities | Ignored | 3 |
| Assigned Tunnel ID | Mandatory | Mandatory, our tunnel ID |
| Bearer Capabilities | Ignored | Not sent |
| Receive Window Size | Accepted, assumed 4 if not present or less than 4 is specified | Value 4 |
| Challenge | Accepted if a configured secret is defined, a response is sent in the SCCRP | Not sent at present |
| Tie Breaker | Ignored as FireBrick only accepts connections for inbound calls | Not sent |
| Firmware Revision | Ignored | FireBrick s/w version string |
| Vendor Name | Ignored | FireBrick Ltd |
Start-Control-Connection-Reply (SCCRP)
| AVP | Incoming | Outgoing |
|---|---|---|
| Protocol Version | Value 1 expected | Value 1 |
| Framing Capabilities | Ignored | 3 |
| Host Name | Logged as hostname for tunnel | Configured hostname, if defined |
| Assigned Tunnel ID | Expected as far end ID | Mandatory, our tunnel ID |
| Bearer Capabilities | Ignored | Not sent |
| Firmware Revision | Ignored | FireBrick s/w version string |
| Vendor Name | Ignored | FireBrick Ltd |
| Receive Window Size | Accepted, assimed 4 if not present or less than 4 | Not sent, assume 4 |
| Challenge | Accepted if a configured secret is defined, a response is sent in the SCCCN | Not sent at present |
| Challenge Response | Not expected at present | Sent if SCCRQ contained a channel and we have a secret defined |
Start-Control-Connection-Connected (SCCCN)
| AVP | Incoming | Outgoing |
|---|---|---|
| Challenge Response | Not expected | Sent if was challenged |
Stop-Control-Connection-Notification (StopCCN)
| AVP | Incoming | Outgoing |
|---|---|---|
| Assigned Tunnel ID | Expected, see note | Sent if a tunnel has been allocated |
| Result Code | Ignored (logged) | Sent as appropriate for tunnel close |
Note that a StopCCN may not have a zero tunnel ID in the header. If this is the case the source IP, port and assigned tunnel are used to identify the tunnel.
If an unknown tunnel ID is received on any any incoming packet a StopCCN is generated (once per 10 seconds) with header tunnel ID 0 and specified assigned tunnel ID.
Hello (HELLO)
Always responded to. Sent periodically if no other messages sent.
Incoming-Call-Request (ICRQ)
| AVP | Incoming | Outgoing |
|---|---|---|
| Assigned Session ID | Mandatory | Mandatory, our session ID |
| Call Serial Number | Accepted and passed on if relaying | Passed on incoming value |
| Bearer Type | Ignored | Not sent |
| Physical Channel ID | Ignored | Not sent |
| Calling Number | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Called Number | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Sub-Address | Ignored | Not sent |
Incoming-Call-Reply (ICRP)
| AVP | Incoming | Outgoing |
|---|---|---|
| Assigned Session ID | Mandatory | Mandatory |
Incoming-Call-Connected (ICCN)
| AVP | Incoming | Outgoing |
|---|---|---|
| Tx Connect Speed | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Framing Type | Ignored | 1 |
| Initial Received LCP CONFREQ | Ignored | Not sent |
| Last Sent LCP CONFREQ | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Last Received LCP CONFREQ | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Proxy Authen Type | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Proxy Authen Name | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Proxy Authen Challenge | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Proxy Authen ID | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Proxy Authen Response | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Private Group ID | Ignored | Not sent |
| Rx Connect Speed | Accepted, used in RADIUS and passed on if relaying | Passed on incoming value |
| Sequencing Required | Accepted on honoured | Not sent |
Outgoing-Call-Request (OCRQ)
Not supported, ignored
Outgoing-Call-Reply (OCRP)
Not supported, ignored
Outgoing-Call-Connected (OCCN)
Not supported, ignored
Call-Disconnect-Notify (CDN)
| AVP | Incoming | Outgoing |
|---|---|---|
| Result Code | Ignored (logged) | Sent as appropriate for tunnel close |
| Assigned Session ID | Expected, see note | Sent if assigned |
| Q.931 Cause Code | Ignored | Not sent |
WAN-Error-Notify (WEN)
Not supported, ignored
Set-Link-Info (SLI)
Not supported, ignored
BT specific notes
The L2TP and PPP specifications are clear that the HDLC framing bytes are not sent or received within the L2TP packet. However, BT send type bytes (FF 03) on the start of all PPP frames. This is silently discarded. Also, BT will not process packets if these type bytes are not included in outgoing packets. Sending the HDLC framing can be controlled in the config and on a per session basis using a Filter-Id in RADIUS authentication response.
BT sometimes negotiate incorrect MRUs on behalf of the LNS. Where the L2TP proxy details indicate and incorrect MRU has been negotiated then LCP negotiation is restarted and the correct MRU negotiates. This helps avoid various issues with fragmentation on some services on the internet when the broadband fully supports 1500 byte MTU. This is also relevant where the FB6000 is deliberately configured to use a smaller MRU for example when the L2TP connection is remote via a 1500 MTU link.
There are options using Filter-Id from RADIUS to force LCP restart. However this does confuse some ppp implementations as it is after authentication is complete. This can be useful where BT have provided an incorrect MRU for the end user (another bug). There is also an option to forward 1500 byte packets rather than fragmenting them. When enabled ICMP is still generated for DF and IPv6.
Native IPv6 packets sent via some BT 20CN RASs fail if the packet length is under 72 bytes. All short IPv6 native packets are PPP padded to this minimum to work around this bug.