Secure Socket Tunnelling Protocol

Published Date: 02 Nov 2017

Tunnelling Protocols

B00236532

CONTENTS PAGE

PAGE

INTRODUCTION 2

DEFINITION OF TUNNELLING 2

WHY IS TUNNELLING USED? 3

OSI LAYER OVERVIEW 3

STANDARD TUNNELLING PROTOCOLS 4

GENERIC ROUTING ENCAPSULATION (GRE) 4

LAYER 2 TUNNELLING PROTOCOL (L2TP) 5

POINT-TO-POINT TUNNELLING PROTOCOL (PPTP) 5

SECURE SOCKET TUNNELLING PROTOCOL (SSTP) 6

LINKS BETWEEN TUNNELLING PROTOCOLS AND OTHER PROTOCOLS 7

INTERNET PROTOCOL SECURITY (IPSec) 7

INTERNET KEY EXCHANGE PROTOCOL VERSION 2 (IKEV2) 7

CONCLUSION 8

GLOSSARY OF ACRONYMS 9

REFERENCES 11

INTRODUCTION

This report will define the concept of tunnelling, the various different protocols used and the reasons for their development. The different types of tunnelling protocol available will be identified and described. The various protocols will also be analysed for their relative strengths and weakness and reasons identified as to why one might be preferred to another in certain circumstances. In addition this report will identify relationships between tunnelling protocols and other protocols.

DEFINITION OF TUNNELLING

Schluting (2006) highlights the dependency of the computing world on various types of tunnelling which they define as a mechanism which allows a foreign protocol to move across a network which would not normally support it. Strayer (2004) defines these tunnels as "special connections" between two physical points.

Alawieh, Ahmed & Mouftah (2008) define tunnelling as the use of an internetwork infrastructure to transfer data whilst Hunt (1998) states that tunnelling is the encapsulation of data via a technique which allows for transmission over an interconnecting network. Microsoft (2011) highlights that this network technique of encapsulating one packet within another is utilised for the purpose of either compatibility or security.

More specifically, Forouzan (2007) states that tunnelling is the name given to the strategy employed when two computers using IPv6 need to communicate via a region that uses IPv4. Alternatively, Wright (2000) states that network traffic from multiple sources use tunnelling to transverse the same infrastructure, via separate channels whilst also allowing network protocols to negotiate two incompatible infrastructures. Tunnelling also allows differentiation between traffic from multiple sources, allowing them to be directed to specific destinations for specific reasons. Wright gives the example of tunnelling techniques employed within a VPN, which allow the transmission of data packets across a public network, via a private tunnel (simulating a PPP connection).

WHY IS TUNNELLING USED?

Tunnelling can connect two different points which would not normally be able to communicate with each other. A connection is formed which allows the transfer of encrypted data from one side to the other, where it is decrypted. Tunnelling can also be used in a situation where a main network can have one or many clients who access the server via a tunnel, using the same encapsulation method as above to transfer data between two networks in a secure manner.

OSI LAYER OVERVIEW

The OSI Model is a seven layer model (Learning & Scholarly Technologies, 2011) which is used to describe both networks and network applications. The various layers are indicated below in Figure 1. Each layer groups together various communication functions. Each layer serves the one above it and is served by the layer below it.

Figure 1 OSI Model (Learning & Scholarly Technologies, University of Washington)

STANDARD TUNNELLING PROTOCOLS

There are a number of different tunnelling protocols available, which can be employed in different situations. These include, but are not limited to: GRE, L2TP, PPTP and SSTP.

The next section of the report will deal with each of these in turn, providing a description of their main function and application area, why they were developed and their relative strengths and weakness in comparison to each other and why one might be more appropriate than another in certain circumstances.

GENERIC ROUTING ENCAPSULATION

GRE is a transport layer protocol which was developed by Cisco Systems and is defined by the IETF RFC document number 2784. It is commonly used by service providers in order to provide a managed IP VPN service across an established IP network. It creates a virtual PPP link between two or more points, via a tunnel, across the internet (Schäfer, 2000). GRE can be used for tunnelling both IP and non-IP protocols. Packets for transfer are contained inside an outer IP packet for delivery and this is known as ‘encapsulation’. The data is encrypted at one end, encapsulated within another packet, sent through the tunnel and decrypted at the other end. RFC 2784 (Farinacci, et. al., 2000) states that the original packet for delivery is referred to as the "payload packet". The payload is encapsulated in a GRE packet and this packet can then be encapsulated within another protocol and forwarded, with this outer packet being referred to as the "delivery protocol."

There is a shortage of security features within a GRE tunnel and if clients require increased security then they may opt for an alternative such as SSL to ensure data is encrypted within a web browser or they may choose a dual tunnelling protocol option involving IPSec. However, the latter option causes increased overheads. SSL and IPSec will be discussed in greater detail later in the report.

There are some disadvantages associated with GRE in relation to IP tunnels for CPE. To avoid overloading routes with high volumes of network traffic, it is preferable to provide a complete web of tunnels, however, this has implications in terms of cost to set up and manage/maintain.

LAYER 2 TUNNELLING PROTOCOL

Microsoft (2009) states that L2TP is an IETF standard tunnelling protocol. It was developed by combining features from Microsoft’s PPTP and Cisco Systems L2F. L2TP is described by IETF RFC 2661, (Townsley, et. al., 1999).

Microsoft (2011) states that L2TP is regarded as the industry standard with regards to the formation of secure tunnels. The protocol requires the authentication of the identity of all users, through the use of either a computer certificate or a pre-shared key. Working closely with IPSec, L2TP creates a L2DP header that is attached to the PPP frame and this is subsequently packaged with the UDP. IPSec then works in conjunction with L2TP, to provide additional security on top of this original encapsulation. The datagram is further encapsulated with the IPSec ESP protocol (Townsley, et. al., 1999), effectively resulting in a double encapsulation which can be transmitted over various networks, including: TCP/IP and X.25.

The L2TP/IPSec protocol grouping is the preferred option for VPN connections for Windows XP clients. The collaboration extends to the generation of encryption keys via IPSec’s IKE, with the partnership offering a more cohesive range of services than those offered by other protocols such as PPTP (Microsoft, 2011).

(Rossberg & Schaefer, 2011 and Liu & Wu, 2002) identify that L2TP operates at the data link layer of the OSI Model. In an unsecured network, L2TP has the capability to establish user authenticated tunnels (as does PPTP). However, unlike PPTP it requires a mandatory IPSec protection layer in such a network.

In addition to running over the UDP and IP, IETF RFC 3070 (Rawat, et. al., 2001) states that it is also possible to implement L2TP over Frame Relay PVCs and SVCs.

POINT-TO-POINT TUNNELLING PROTOCOL

As with L2TP, PPTP operates at the data layer of the OSI model (Liu & Wu, 2002). It securely enables the transfer of data between remote clients and private servers via a VPN connection, over the internet. These VPNs are created across TCP/IP-based data networks (Cisco, 2010).

PPTP uses a modified version of GRE to encapsulate PPP frames within IP datagrams which can then be transmitted across either a private or public IP network like the internet. Security of the encapsulated PPP frames is ensured through the use of encryption or compression, or both. Encryption keys are generated by either MS-CHAP v2 or EAP-TLS (Technet, 2009).

RFC 2637 (Hamzeh, 1999) outlines PPTP and it’s use for the tunnelling of PPPs via an IP network. The use of GRE makes best use of the available bandwidth and avoids issues such as unnecessary retransmissions, as well as buffer overruns.

With enhanced levels of security, PPTP was originally developed as an extension of PPP and now the transfer of data via a PPTP enabled VPN is equally as secure as the transfer of data across a single LAN. All security checks and validations are performed by the tunnel server, as well as data encryption, meaning that it is safer than older protocols in terms of sending information over non-secure networks (Microsoft, 2013).

As PPTP allows multiprotocol encapsulation, it is possible to send different types of packet over the internet, including IPX (Technet, 1996).

SECURE SOCKET TUNNELLING PROTOCOL

The introduction of SSL protocol allowed for the creation of a secure connection between client and server and saw an industry trend in moving towards SSL based VPNs (Shinder, 2010). Microsoft then introduced SSTP with Windows Server 2008, for use by clients who are running Windows Vista SP1 or later (Microsoft, 2011). SSTP operates at the application layer of the OSI model and is integrated in to the RRAS, using the successor to SSL, TLS.

To circumnavigate firewalls and web proxies that can block PPTP and L2TP/IPSec, without requiring computer certificates or pre-shared keys, SSTP uses HTTPS protocol over TCP port 443 (Microsoft, 2011).

Microsoft (2011) SSTP uses SSL protocol (which is supported by the majority of web servers), to encapsulate PPP frames. As SSTP uses the same TCP port 443 as SSL then there is no need for administrators to open additional external firewall ports in the server.

For authentication purposes, SSTP uses certificates and as well as data encryption, provides integrity checking and enhanced key negotiation services (Microsoft, 2011).

Improvements on weaknesses present in PPTP and L2TP VPN technology led to the introduction of SSTP and it is now commonly felt to provide the most secure access to the internet (Purevpn, 2011).

LINKS BETWEEN TUNNELLING PROTOCOLS AND OTHER PROTOCOLS

INTERNET PROTOCOL SECURITY

Working at the network layer of the OSI model (Morimoto, et. al., 2010), IPSec provides standards which outline how to safeguard communications over IP networks via tools including data origin authentication and replay protection (Microsoft, 2003).

(Schäfer, 2000) states that IPSec can only be used for tunnelling IP protocols and does not support non-IP protocols.

As mentioned previously in the GRE section, there are some disadvantages associated with IPSec in relation to IP tunnels for CPE. A complete web of tunnels would avoid high volumes of network traffic potentially overloading the system. However, the associated costs in terms of key distribution, key management and peering configuration to set up such a system, would be prohibitive.

Service Providers commonly favour IPSec due to its in-built security capabilities. IPSec provides encryption which is used in conjunction with L2TP to provide security (Microsoft, 2011).

Providing a high standard of security via encryption and authentication, IPSec is now one of the most widely used network security technologies which provides major cost savings when connecting an organisations branch offices with remote users (Cisco, 2013).

IPSec is used in conjunction with L2TP and is referred to as L2TP/IPSec. This combination allows the encryption and transfer of multiprotocol traffic across any format which supports the delivery of PPP datagrams (Technet, 2009).

RFC 3193 (Aboba, et. al. 2001) discusses how IPSec can help to protect L2TP traffic across IP networks.

INTERNET KEY EXCHANGE PROTOCOL VERSION 2

RFC 4306 (Kaufman, 2006) states that as an element of IPSec, IKEv2 is used to perform mutual authentication between parties and helps to provide security associations. Only Windows 7 and Windows Server 2008 R2 operating systems support the use of IKEv2.

Datagrams are encapsulated for network transmission in IKEv2 by using IPSec ESP or AH. A VPN with IKEv2 in use means that when clients move between wireless hotspots or switch to a wired connection, there is greater resilience built in to the system.

CONCLUSION

In conclusion, there is a range of tunnelling protocols available which allow the encapsulation and encryption of data for transfer between two points in a secure network environment, via a ‘tunnel’, in a secure, speedy and cost efficient manner without increasing network congestion. Whilst not an exhaustive list, those protocols described here represent the main methods in use.

It would appear that when a protocol has been in use for some time and issues have been identified for improvement, a new version or an entirely new protocol is created, refining the characteristics of previous incarnations. SSTP appears to provide the securest remote access connection across the internet.

GLOSSARY OF ACRONYMS

AH - Authentication Header

CPE - Customer Premises Equipment

EAP-TLS - Extensible Authentication Protocol-Transport Layer Security

ESP - Encapsulating Security Protocol

GRE - Generic Routing Encapsulation

L2F - Layer 2 Forwarding

HTTPS - Hypertext Transfer Protocol Secure

IETF - Internet Engineering Task Force

IKE - Internet Key Exchange

IKEv2 - Internet Key Exchange Protocol Version 2

IP - Internet Protocol

IPSec - Internet Protocol Security

IPX - Internetwork Packet Exchange

L2TP - Layer 2 Tunnelling Protocol

LAN - Local Area Network

MS-CHAP v2 - Microsoft Challenge Handshake Authentication Protocol Version 2

OSI - Open Systems Interconnection

PPP - Point-to-Point Protocol

PPTP - Point-to-Point Tunnelling Protocol

PVC - Permanent Virtual Circuit

RFC - Request for Comments

RRAS - Routing and Remote Access

SSL - Secure Sockets Layer

SSTP - Secure Socket Tunnelling Protocol

SVC - Switched Virtual Circuits

TCP - Transmission Control Protocol

TLS - Transport Layer Security

UDP - User Datagram Protocol

VPN - Virtual Private Network