L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
1. L2TP 101
ON-RAMP TO CONSUMING
WHOLESALE BROADBAND SERVICES
https://faelix.link/netmcr57
2. About Marek
Stuff I do:
CTO @FAELIX – https://faelix.net/
PC @uknof – https://uknof.uk/
Crew @net_mcr – https://www.netmcr.uk/
Trail of SSIDs in my wake: "AS41495 Faelix Limited"
Me — @maznu – @NetworkMoose
3. This Talk
Aimed at anyone starting their journey with
providing ADSL/FTTC/SoGEA/GFast/FTTP via
wholesale L2TP.
Will touch on ISO/OSI layers 1-7 + 8 + 9.
11. FTTP: The ONT
Copper demarcation is “BT Master Socket”
Fibre demarcation is “The ONT”
PON fibre in, ethernet out (and maybe FXS for VoIP)
Some ONTs have multiple ethernet ports
Separate customer services, multiple providers
Total bandwidth still limited by the PON
18. L2TP (v2)
L2TP = Layer-2 Tunnelling Protocol
Typically IPv4 UDP port 1701
20 (IP) + 8 (UDP) + 12 (L2TP) bytes of headers
Multiple sessions within one tunnel
Tunnels can be authenticated with secret
PPP sessions can be authenticated
Can add/drop L2TP sessions in and out of tunnels
19. Terminology
LNS = L2TP Network Server
LAC = L2TP Access Concentrator
LTS = L2TP Tunnel Switch (Cisco “L2TP Multihop”)
RADIUS = Remote Authentication Dial-In User
Service
22. LAC and LNS
LAC “concentrates” (aggregates) customers
Based on the authenticating user’s realm it will try
to create an L2TP tunnel and session to your LNS
Might use RADIUS steering to determine LNS’ IPs
and L2TP secrets
Or might have a static per-realm configuration
And now you’re running PPP end-to-end!
39. FreeRADIUS: Steering
update {
reply:Tunnel-Server-Endpoint:0 = “192.0.2.1”
reply:Tunnel-Password:0 = "hunter2"
reply:Tunnel-Type:0 = L2TP
reply:Tunnel-Medium-Type:0 = IP
control:Auth-Type = "Accept"
}
Full write-up at faelix.net/news (includes ExaBGP
and service tests for HA)
40. FreeRADIUS: AAA
Actually nothing clever required!
We added a feature to our setup:
user+steer@realm
treated as user@steer.realm for session steering
but treated as user@realm for auth
41. user+steer@realm
Steer sessions from user-side to specific LNSs
One tunnel to London, another to Manchester
BGP route servers to receive nearby IX CDN prefixes
Anycast DNS helps CDNs to serve traffic locally
Will be giving a talk about this at LINX on 31st March
43. Experience: Enta
Available in: MA1, THN, THW, THE, LD8…
Seemed easy to onboard with
Were still Mbit/sec charges on some packages
Else strong expectation to achieve MoQ
BTW and Enta LLU
NB: we didn’t finish onboarding with Enta, but might
complete this in future if demand/requirement
44. Experience: ICUK
Available in: THN, THW, LD8
Pretty easy to on-board with: sent an email
Apply for your OFCOM RID before starting
Deposit required, plus some setup charges
One realm per customer, statically steered
One 1G NNI (unless you reach volume targets based
on lines, or pay monthly for extra NNI)
BTW and TTB
45. Experience: Zen
Available in: MA1, THN, THE… LON1/2/3?
Took ages to get them to talk to us
Dedicated onboarding, weekly progress meetings
Unlimited realms, supports RADIUS steering
Expectation of multiple 10G NNIs
“Want to see a sales path to hundreds of tails in Y1”
BTW and Zen LLU (and TTB, but not on wholesale)
46. Experience: APIs
ICUK’s API is easy for availability searches and
ordering (albeit slightly unusual authentication)
Zen’s API doesn’t like User-Agent: /.*python.*/
ICUK’s API for everything: WLR and broadband
Zen’s API only for broadband, can’t choose network
WLR is third-party, doesn’t seem to be API?
48. Wholesale Line Rental
The “copper pair” required for ADSL, FTTC, GFast
Approximately £9-11/month (plus calls)
“Naked” FTTC = SoGEA (no telephone line)
SoGFast exists (but not always productised)
Services are slightly cheaper overall
FTTP has no copper pair, all fibre, VoIP telephony