netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: James Chapman <jchapman@katalix.com>
To: Benjamin LaHaise <bcrl@kvack.org>,
	"David S. Miller" <davem@davemloft.net>
Cc: netdev@oss.sgi.com, kleptog@svana.org, mostrows@styx.uwaterloo.ca
Subject: Re: PPP-over-L2TP kernel support, new patch for review
Date: Wed, 22 Sep 2004 10:58:12 +0100	[thread overview]
Message-ID: <1095847092.41514cb435b7e@www.katalix.com> (raw)
In-Reply-To: <20040921210427.GB19575@kvack.org>

Although Ben and I are both working on L2TP projects, I think we're
targetting two totally different usage scenarios.

Time for some ASCII art...

1. ISP scenario

               +----+
            ---+ D  |
            ---| S  |      +--------+              +-------+
            ---| L  |======|  LAC   |==============| LNS   |
            ---| A  |      |        |              |       |
            ---| M  |      +--------+              +-------+
            ---|    |
            ---|    |
            ---|    |
               +----+
     thousands       PPPoA           each PPP session
     of PPP          or              tunneled thru
     clients         PPPoE           L2TP session to LNS


2. VPN scenario

           +---+                                  +------+
           |LAC+----------------------------------|      |
           +---+                                  |      |
           +---+                                  |      |
           |LAC+----------------------------------| LNS  |
           +---+                                  |      |
           +---+                                  |      |
           |LAC+----------------------------------|      |
           +---+                                  |      |
                                                  +------+
        PPP client                               Terminates
        in each LAC.                             multiple tunnels
        Typically 1
        session per tunnel

Ben is addressing the ISP case, where client PPP sessions are
terminated only temporarily at the LAC while it authenticates the PPP
users to decide how to tunnel them. Each PPP session is then tunneled
straight through the LAC via an L2TP session (inside an L2TP tunnel)
to the LNS. Scalability is important here, which Ben has addressed.

I'm addressing the VPN case, where multiple clients (M$ L2TP/IPSEC
or rp-l2tp/openl2tp clients) connect to an enterprise VPN server.
Current solutions involve userspace pty hacks in the datapath,
shunting data in and out of pppd ttys. The proposed driver moves the
datapath into the kernel where it should be. The driver integrates
with existing PPP and IPSEC kernel subsystems and will handle
hundreds of sessions today.

The biggest difference in our approaches is that Martijn and I use a
PPPoL2TP socket per session bound through a plain AF_INET UDP tunnel
socket while Ben uses a new AF_L2TP tunnel socket and no separate
socket per session. Both have their merits.

If I can put the case for our driver, Linux really needs a good VPN
solution. I know of two companies that run their offices with Linux
servers yet they both retain a Microsoft server _only_ to provide VPN
access to off-site workers. Including this driver in the kernel will
enable us to build binary packages for OpenL2TP and perhaps other L2TP
solutions like rp-l2tp would be updated to use it too. Being able to
handle hundreds (not thousands) of sessions is more than adequate
in this case.

Where do we go from here then? Perhaps both approaches are equally
valid and could even co-exist in the Linux kernel distribution?

/james

Quoting Benjamin LaHaise <bcrl@kvack.org>:

> > - Architecture seems to be using char devices for communication with
> >   the kernel and all the PPP datapath is handled by custom virtual
> >   net_devices; the generic PPP kernel code isn't used as far as I can
> >   tell. Unfortunately it is very old (linux-2.0 era I think) but Ben
> >   has probably updated it.
>
> I've updated it.  The current build is at http://www.kvack.org/~bcrl/babylon/
> and is 1.6-pre3-bcrl8.

[snip]

  parent reply	other threads:[~2004-09-22  9:58 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-09-20 21:11 PPP-over-L2TP kernel support, new patch for review James Chapman
2004-09-20 21:17 ` David S. Miller
2004-09-21  9:55   ` James Chapman
2004-09-21 21:04     ` Benjamin LaHaise
2004-09-21 23:07       ` Herbert Xu
2004-09-22  0:00         ` Michael Richardson
2004-09-22  1:14         ` Benjamin LaHaise
2004-09-22  2:42           ` David S. Miller
2004-09-22  3:03           ` jamal
2004-09-22  9:58       ` James Chapman [this message]
2004-09-22 10:53         ` Herbert Xu
2004-09-22 21:28           ` James Chapman
2004-09-22 22:05             ` Herbert Xu
2004-09-23 18:34             ` Martijn van Oosterhout
2004-09-21 21:11   ` Benjamin LaHaise

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1095847092.41514cb435b7e@www.katalix.com \
    --to=jchapman@katalix.com \
    --cc=bcrl@kvack.org \
    --cc=davem@davemloft.net \
    --cc=kleptog@svana.org \
    --cc=mostrows@styx.uwaterloo.ca \
    --cc=netdev@oss.sgi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).