So Why Use Tunnelling Computer Science Essay

Published Date: 02 Nov 2017

Describe and give reasons for tunnelling protocols

Main application area of a tunnelling protocol

Strengths and weaknesses of tunnelling protocols

Links between tunnelling protocols

To conclude the report I will have a critical discussion looking at two of the tunnelling protocols I have researched.

So why use Tunnelling ?

Tunnelling is used in computer networking to transport foreign protocols across a network that would normally not support it. This is done by using existing public internet links and in such a way that the nodes on the internet do not even know that the transmission is part of a private network.

Virtual Private Networks or VPN for short is a common way to use Tunnelling to allow authorised users external access to a private network . This uses Point-to-Point Tunnelling Protocol (PPTP), which we will look at further on, by allowing the authorised users to tunnel in to their company's private network whilst on the move from a variety of devices such as Laptops, Smartphone's and PDA's, whilst maintaining a reasonable amount of security* for the data. This is really useful in today's fast moving business world where access to the company's network resources on the move is essential. (Rouse, 2007)

A typical VPN set-up

Figure - http://img.tomshardware.com

*Tunnelling should not be seen as a substitute for encryption/decryption and therefore encryption should still be used alongside it.

Point-to-Point Protocol (PPP)

Point-to-Point Protocol (PPP) became a working standard in 1994. Originally devised as an encapsulation protocol for transporting IP traffic between two peers and widely used by internet service providers (ISPs) to enable dial up connections to the internet. PPP uses existing public internet links that allow the user to connect into an existing WAN infrastructure. It is a data link layer protocol and sits at layer 2 in the OSI model (as seen below). PPP can be encapsulated in various data link protocols such as Ethernet (PPPoE) and Asynchronous Transfer Mode (PPPoA).

OSI 7 Layer Model

Figure - http://www.escotal.com/osilayer.html

How it works

Two of the sub layers used within PPP are:

Link Control Protocol (LCP)

Network Control Protocol (NCP)

The session will be created between a user's computer and an ISP by using the Link Control Protocol (LCP), this replaces an older protocol known as Serial Line Internet Protocol (SLIP). The protocol is responsible for link negotiation, link establishment and link termination. LCP packets will be exchanged between multiple network points in order to determine link characteristics such as identity, packet size and configuration errors. (What Is My IP Address, 2000-2013)

LCP also provides Encrypted logons and Data transfer that will encrypt all password and data sent over the network link. If both ends support Compression then data can be compressed and sent over the network as this is also supported by LCP and finally Multilink which allows Multiple physical links to be combined to perform one logical link.

NCP is responsible for the dynamic assignment of Network layer addresses and supports TCP/IP, IPX/SPX, AppleTalk, Pathworks, and any other protocols that NCP module is written. (King, 2005)

Authentication

There are three different types of authentication protocols available with PPP that we will have a brief look at below:

Password Authentication Protocol (PAP)

Authenticates a users password by retrieving it from the client and then checking it with a authentication server. This is the least secure authentication method as the password is not encrypted in transmission.

Challenge Handshake Protocol (CHAP)

Similar to PAP although rather than retrieving the password from the client machine, the network access server send a challenge message instead. The message is a random value which the client machine will then encrypt along with the users password before sending back to the access server. The access server then sends the challenge and the password combination to the authentication server were it will be encrypted and stored in the authentication database. If the response matches, the password will be authentic making this a moderately secure level of authentication. (What Is My IP Address, 2000-2013)

Extensible Authentication Protocol (EAP)

More common nowadays in wireless networks EAP is considered an authentication framework used by a number of secure authentication protocols. The specific authentication mechanism is not chosen during the link establishment phase of the PPP connection but during the connection authentication phase. (What Is My IP Address, 2000-2013)

Point-to-Point Tunnelling Protocol (PPTP)

Point-to-Point Tunnelling Protocol (PPTP) is an extension of the Internet standard Point-to-Point protocol (PPP) and sits at layer 2 (Data Link) in the OSI 7 layer model. Developed by Microsoft and a consortium of technology companies, it remains the most widely supported Virtual Private Networks (VPN) method used in Windows today. PPTP supports a wide range of multiprotocol VPNs which allows users to access corporate networks securely by dialing in to a Internet Service Provider (ISP) for internet access and then connecting to the corporate LAN by using the internet connection. (Rouse, 2005)

OSI 7 Layer Model

Figure - http://www.escotal.com/osilayer.html

How it works

A remote or mobile PPTP client dials in and connects to a network access server (NAS) at the ISP facility. Once the connection has been established the client can send and receive packets over the Internet. The TCP/IP protocol is used by the network access server for all traffic to the internet.

Once the connection has been established a second dial up call will be made over the existing PPP connection. The second connection will be responsible for sending data in the form of IP datagram's containing the PPP packets, this is known as encapsulated PPP packets. (TechNet, 2013)

Figure - technet.microsoft.com

"The above figure shows the second call creating the virtual private network (VPN) connection to a PPTP server on the private enterprise LAN, this is referred to as a tunnel." (TechNet, 2013)

PPTP can also be used to tunnel a PPP session over an IP network and in this set up both the PPTP tunnel and the PPP session run between the same two machines.

Security

PPTP will establish the tunnel but does not provide any encryption. Authentication used in PPTP are the same as PPP (PAP, SPAP, CHAP, MS_CHAP v.1/v.2 and EAP), some of these are mentioned in the previous section. (Anon., n.d.)

Layer 2 Tunnelling Protocol (L2TP)

Layer 2 Tunnelling Protocol or L2TP for short is a combination of PPTP, we mentioned earlier, and L2F from Cisco Systems which allows L2 traffic to be tunnelled over an IP network. L2PT also resides at the data link layer, this is the second layer of the OSI model as seen below:

OSI 7 Layer Model

Figure - http://www.escotal.com/osilayer.html

The L2TP protocol can be very useful as it can carry almost any data format over IP or other L3 networks, L2 networks are easier to manage and are more transparent than L3 networks. This is a great advantage in data centres where a flat network is essential for promoting virtual machine (VM) mobility between physical hosts or in multiple premises where the sharing of infrastructure and resources between remote offices can be simplified by using L2 tunnelling. (Parkin, 2013)

How it works

When an L2TP connection is made it will consist of two components; a tunnel and a session. The tunnel provides transport for the control packets between the two L2TP Control Connection Endpoints (LCCEs). The entire session is contained logically within the tunnel along with the users data. Multiple sessions may be sent within a single tunnel and these are kept separate by the use of session identifier numbers in the L2TP data encapsulation headers.

Security

L2TP contains no security or authentication mechanisms so is common to run this alongside other technologies such as IPSec to provide added security. (Parkin, 2013)

Strengths and weaknesses

Now we will take a look at two of the protocols already mentioned and headline some of the strengths and weaknesses between them.

Point to point tunnelling protocol (PPTP)

Advantages

One of the first protocols to be used for Virtual Private Networks (VPN). Boasts an advantage of being widely available and easy to set up and uses little bandwidth to run.

Divides information to be transmitted into two messages consisting of control and data messages allowing transmission not just over IP protocols but NETBEUI and IPX/SPX protocols.

Supports various security measures such as authentication, encryption and packet filtering.

More affordable, requires less special hardware than other protocols.

Disadvantages

Control Message traffic not encrypted for a transmission session leaving it vulnerable to attack or hijacking.

The weakest in security of all the VPN protocols.

Less secure with Microsoft Point-to-Point Encryption (MPPE)

Connections only require user-level authentication through a PPP-based authentication protocol

Layer 2 Tunnelling Protocol (L2TP)

Advantages

Supports non-TCP/IP clients and protocols such as Frame Relay, ATM and SONET

Uses computer level encryption

IPSec provides end-to-end encryption for data sent between the nodes

Uses UDP which is faster

Disadvantages

requires certificate infrastructure for issuing computer certificates

If something changes at one end with the security key, the other end will not work

May slow down with certain firewalls due to encapsulating data twice

Requires a lot of configuration to set it up including Public Key Infrastructure (PKI) and computer certificates.