Network Design Tunnelling Protocols

Published Date: 02 Nov 2017

This report will discuss the subject of tunnelling protocols. The report will inform the reader on different topics on the subject such as what tunnelling is, why tunnelling is used, different types of tunnelling protocols and also a comparison between protocols.

What is tunnelling and why do we use it?

Tunnelling basically creates and uses a secure link over an unsecure network by enabling the encapsulation of a packet of one protocol with the datagram of a different protocol. It involves three different types of protocols which are the carrier protocol, this is used by the network in which the data is transmitted over this for example could be IP, an encapsulating protocol that provides the datagram and finally the passenger protocol that contains the original packet (Rackley, 2011). The technology of tunnelling is usually based on layer 2 or layer 3 of the OSI model, layer 2 being the data link layer and layer 3 being the network layer, most if not all protocols fall under these two layers. (Barry D. Lewis, 2004)

The development of tunnelling protocols was to create security between connected systems so the channels it uses are secure and private.

Tunnelling Protocols

Generic Routing Encapsulation (GRE)

Generic Routing Encapsulation (GRE) was originally developed as a tunnelling tool which was supposed to carry any OSI layer 3 protocols over an IP network; basically it creates a private point-to-point connection, which is very similar to VPN (Virtual Private Network). The GRE protocol encapsulates packets so it can route other protocols over IP networks. As GRE is a routing protocol and it works by encapsulating, it encapsulates a payload which is the inner packet being delivered to its destination. There are many advantages to using GRE it can transport multicast and IPv6 between networks, it can encase multiple protocols over a single protocol, it provides workarounds for networks with limited hops, connects discontinuous sub-networks and can also allow VPNs across WANS (Wide Area Networks). Although there are many advantages of GRE it is not widely used due to it being an unsecure protocol as it doesn’t encrypt the data unlike IPSec (IP Security). (Tessa Parmenter, 2011)

Although GRE isn’t very secure to use there are a few reasons why it would be used. The reasons for using GRE are that it is simple and flexible, there are also useful features that GRE provides that could come in handy if it is used. As mentioned above GRE can carry multiple protocols and it can also route protocols that might be considered non routable such as IPX or AppleTalk through an IP network. Finally it is very easy to debug due to its lack of security, because it doesn’t use encryption or authentication it means pinging through the tunnel or to the destination addresses simplifies the verification of connectivity instead of having to go through the hassle of authentication and encryption. (Kevin Dooley, 2008)

Point to Point Tunnelling Protocol (PPTP)

PPTP is an extension of the PPP (Point to Point Protocol) protocol by Microsoft which is an established standard used to set up a WAN link over a remote access connection (Shinder D. L., 2001). PPTP is part of Microsoft’s Windows operating systems it is one of the most deployed tunnelling protocols which is also supported on other devices from different manufacturers. Apart from the fact it is supported on other devices rather than just its own Microsoft, it can also support other protocols other than the TCP/IP. Unlike GRE PTTP uses encryption so it has the ability to encrypt IP traffic and then encapsulate it in an IP header which is then sent across a public IP network for example the internet. PPTP uses the PPP protocol for encryption. (Ciampa, 2008)

Figure 1.1 PPTP (Ciampa, 2008)

The diagram above shows the connection of a PPTP protocol, so from the diagram above you can see there is a client machine, a Network Access Server (NAS) a PPTP server, a PPP connection between the client and the NAS, a PPTP connection between the client and the PPTP server, the internet and at the end a remote network. Basically how this is working is the client connects to the NAS via a cable modem, DSL, or dial up to be able to connect to one another, then once this connection is up and running another connection will progress from the NAS to the PPTP server which will go through the internet or unsecure network. This then creates the PPTP connection which allows communication between the client and the PPTP server using a TCP port. (Ciampa, 2008)

Although PPTP is already an extended version of PPP there is also another extension of the PPTP protocol which is the LCP (Link Control Protocol). The LCP’s job is to set up, configure and automatically test the connection. (Ciampa, 2008)

Reasons for using PPTP is that it’s easy to configure and this is the main reason it became so popular and it was also the first VPN protocol that was support by Microsoft Dial-IP Networking. From Windows 95 onwards all Microsoft OS’s have a PPTP client and also on Linux, MAC OS X. (Ciampa, 2008)

Secure Socket Tunnelling Protocol (SSTP)

SSTP is the newest of the tunnelling protocols to date which is available as a feature in Windows Server 2008 and Vista SP1. SSTP allows the creation of a VPN connection from a remote access client. SSTP clients work by tunnelling through NAT (Network Address Translation) routers, firewalls and proxies to a remote access server and RRAS (Remote and Routing Access Service) server (Sosinsky, 2008). SSTP works by encapsulating the PPP packets and transmits them over a HTTP connection and this allows devices such as NAT or firewalls as mentioned above to be able to set up a VPN connection much more easily (Panek, 2010). HTTPS is the transport layer for SSTP to make the traffic appear as if it is regular secure web traffic over HTTP (port 80) or HTTPS (port 443).

Figure 1.2 SSTP (Sosinsky, 2008)

The diagram above shows the architecture of a SSTP packet that has been encapsulated and is used by a SSTP VPN connection.

So as you can see the header information includes the IPv4/IPv6 and TCP packets, these are the packets that are encapsulated first using a Point-to-Point Protocol followed by the SSTP header. SSTP is highlighted under the SSL encrypted part which shows it has been encrypted here and it is encrypted using public and private certificate keys. After the encryption of the SSTP header it moves onto the TCP header and IPv4/IPv6 and adds them to get the targeting information for the packet from client to server. (Sosinsky, 2008)

The SSTP server must have a certificate for Server Authentication Enhanced Key Usage (EKU) to be able to work correctly. It also needs an EKU for the when an SSL session is connected as the EKU authenticates the server to the client and the client then validates the server certificate with certificate authority (CA), however it must have the root certificate of the CA installed to be able to validate the server certificate.

Figure 1.3 EKU (Shinder T. , 2009)

I have included Figure 1.3 for a better understanding. It is a screenshot from the certificate properties dialog box and is a screenshot of a few certificates and as you can see here the EKU provides the server with authentication, as mentioned above.

The connection of SSTP is a VPN tunnel and it acts as a peer-to-Layer 2 Tunnelling Protocol and PPTP VPN tunnel. The traffic of a PPP protocol is encapsulated by SSTP is then framed to be compatible with HTTPS traffic. The encapsulation plays a big part in making sure that HTTPS traffic can still be treated like a VPN tunnel, can still have policies applied to it such as NAP (Network Access Protection), it can still be run as IPv6 traffic however this only applies if it is required and also to make sure it can still be compatible with different authentication methods that is needed by VPN clients this for example could be logons, smart cards and connection managers. (Sosinsky, 2008)

As SSTP is the newest protocol you would imagine it would be the best and you would probably be right. The advantages of using SSTP is that it is a very flexible protocol, it’s also reliable and for the job it does it makes it very cost efficient as well, therefore if you are using an extremely expensive VPN solution such as Cisco, you now have the option of using SSTP as it is just as reliable and secure without it costing an absolute fortune (Shinder T. W., 2009). Therefore SSTP is considered as the best option for securing a VPN connection.

Comparison of GRE and SSTP