The Concept Of Tunnelling

Published Date: 02 Nov 2017

Schluting (2006) highlights the dependency of the computing world on various types of tunnelling which they define as a mechanism which allows a foreign protocol to move across a network which would not normally support it. Alawieh, Ahmed & Mouftah (2008) define tunnelling as the use of an internetwork infrastructure to transfer data whilst Hunt (1998) states that tunnelling is the encapsulation of data via a technique which allows for transmission over an interconnecting network. Microsoft (2011) highlights that this network technique of encapsulating one packet within another is utilised for the purpose of either compatibility or security.

More specifically, Forouzan (2007) states that tunnelling is the name given to the strategy employed when two computers using IPv6 need to communicate via a region that uses IPv4. Alternatively, Wright (2000) states that network traffic from multiple sources use tunnelling to transverse the same infrastructure, via separate channels whilst also allowing network protocols to negotiate two incompatible infrastructures. Tunnelling also allows differentiation between traffic from multiple sources, allowing them to be directed to specific destinations for specific reasons. Wright gives the example of tunnelling techniques employed within a VPN, which allow the transmission of data packets across a public network, via a private tunnel (simulating a point-to-point connection).

Strayer (2004) defines these tunnels as "special connections" between two physical points. Tunnels provide increased privacy by encrypting data so that it can only be deciphered by designated senders and receivers, by effectively creating a point-to-point connection via a connectionless IP network Schäfer (2000).

WHY IS TUNNELLING USED?

Tunnelling can connect two different points which would not normally be able to communicate with each other, for example IPv4 and IPv6. A connection is formed which allows the transfer of encrypted data from one side to the other, where it is decrypted. Tunnelling can also be used in a situation where a main network can have one or many clients who access the server via a tunnel, using the same encapsulation method as above to transfer data between two networks in a secure manner.

This process is efficient in terms of security, speed and cost.

OSI LAYER OVERVIEW

The Open Systems Interconnection (OSI) Model is a seven layer model (Learning & Scholarly Technologies, 2011) which is used to describe both networks and network applications. The various layers are indicated below in Figure 1. Each layer groups together various communication functions. Each layer serves the one above it and is served by the layer below it.

Figure 1 OSI Model (Learning & Scholarly Technologies, University of Washington)

STANDARD TUNNELLING PROTOCOLS

There are a number of different tunnelling protocols available, which can be employed in a number of different situations. These include, but are not limited to: Generic Routing Encapsulation (GRE), Layer 2 Tunnelling Protocol (L2TP), Point to Point Tunnelling Protocol (PPTP) and Secure Socket Tunnelling Protocol (SSTP).

The next section of the report will deal with each of these in turn, providing a description of their main function and application area, why they were developed and their relative strengths and weakness in comparison to each other and why one might be more appropriate than another in certain circumstances.

GENERIC ROUTING ENCAPSULATION (GRE)

Generic Routing Encapsulation (GRE) is a transport layer protocol which was developed by Cisco Systems and is defined by the Internet Engineering Task Force (IETF) RFC (Request for Comments) document number 2784. It is commonly used by service providers in order to provide a managed Internet Protocol (IP) Virtual Private Network (VPN) service across an established IP network. It creates a virtual point-to-point link between two or more points, via a tunnel, across the internet (Schafer, 2000). GRE can be used for tunnelling both IP and non-IP protocols. Packets for transfer are contained inside an outer IP packet for delivery and this is known as ‘encapsulation’. The data is encrypted at one end, encapsulated within another packet, sent through the tunnel and decrypted at the other end. RFC 2784 (2000) by Farinacci, et. al., states that the original packet for delivery is referred to as the "payload packet". The payload is encapsulated in a GRE packet and this packet can then be encapsulated within another protocol and forwarded with this outer packet being referred to as the "delivery protocol."

(Schafer, 2000) states that there is a shortage of security features within a GRE tunnel and if clients require increased security then they may opt for an alternative such as Secure Sockets Layer (SSL) to ensure data is encrypted within a web browser or they may choose a dual tunnelling protocol option involving IPSec. However, the latter option causes increased overheads. SSL and IPSec will be discussed in greater detail later in the report.

There are some disadvantages associated with GRE in relation to IP tunnels for Customer Premises Equipment (CPE). To avoid overloading routes with high volumes of network traffic, it is preferable to provide a complete web of tunnels, however, this has implications in terms of cost to set up and manage/maintain.

LAYER 2 TUNNELLING PROTOCOL (L2TP)

Microsoft (2009) states that Layer 2 Tunnelling Protocol (L2TP) is an Internet Engineering Task Force (IETF) standard tunnelling protocol. It was developed by combining features from Microsoft’s PPTP (Point to Point Tunnelling Protocol) and Cisco Systems Layer 2 Forwarding (L2F). L2TP is described by IETF RFC 2661, (Townsley, et. al., 1999).

Microsoft (2011) states that L2TP is regarded as the industry standard with regards to the formation of secure tunnels. The protocol requires the authentication of the identity of all users, through the use of either a computer certificate or a pre-shared key. Working closely with IPSec, L2TP creates a L2DP header that is attached to the Point-to-Point Protocol (PPP) frame and this is subsequently packaged with the User Datagram Protocol (UDP). IPSec then works in conjunction with L2TP, to provide additional security on top of this original encapsulation (Rossberg & Schaefer, 2011). The datagram is further encapsulated with the IPSec Encapsulating Security Payload (ESP) protocol (Townsley, et. al., 1999), effectively resulting in a double encapsulation which can be transmitted over various networks, including: TCP/IP and X.25.

The L2TP/IPSec protocol grouping is the preferred option for Virtual Private Network (VPN) connections for Windows XP clients. The collaboration extends to the generation of encryption keys via IPSec’s Internet Key Exchange (IKE), with the partnership offering a more cohesive range of services than those offered by other protocols such as PPTP (Microsoft, 2011).

(Rossberg & Schaefer, 2011 and Liu & Wu, 2002) identify that L2TP operates at the data link layer (layer 2) of the Open Systems Interconnection (OSI) Model. In an unsecured network, L2TP has the capability to establish user authenticated tunnels (as does PPTP). However, unlike PPTP it requires a mandatory IPSec protection layer in such a network.

In addition to running over the UDP and IP, IETF RFC 3070 (Rawat, et. al., 2001) states that it is also possible to implement L2TP over Frame Relay Permanent Virtual Circuits (PVCs) and Switched Virtual Circuits (SVCs).

POINT-TO-POINT TUNNELLING PROTOCOL (PPTP)

As with L2TP, Point-to-Point Tunnelling Protocol (PPTP) operates at data layer 2 of the OSI model (Liu & Wu, 2002). It securely enables the transfer of data between remote clients and private servers via a VPN connection, over the internet. These VPNs are created across TCP/IP-based data networks (Cisco, 2010).

PPTP uses a modified version of GRE to encapsulate PPP frames within IP datagrams which can then be transmitted across either an IP network or a public IP network like the internet. Security of the encapsulated PPP frames is ensured through the use of encryption or compression, or both. Encryption keys are generated by either Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) (Technet, 2009).

RFC 2637 (Hamzeh, 1999) outlines PPTP and it’s use for the tunnelling of PPPs via an IP network. The use of GRE makes best use of the available bandwidth and avoids issues such as unnecessary retransmissions, as well as buffer overruns.

With enhanced levels of security, PPTP was originally developed as an extension of the Point-to-Point Protocol (PPP) and now the transfer of data via a PPTP enabled VPN is equally as secure as the transfer of data across a single Local Area Network (LAN). All security checks and validations are performed by the tunnel server, as well as data encryption, meaning that it is safer than older protocols in terms of sending information over non-secure networks (Microsoft, 2013).

No dial-up connection is required for PPTP, however IP connectivity between the computer and the server is necessary.

As PPTP allows multiprotocol encapsulation, it is possible to send different types of packet over the internet, including Internetwork Packet Exchange (IPX) (Technet, 1996).

SECURE SOCKET TUNNELLING PROTOCOL (SSTP)

The introduction of Secure Sockets Layer (SSL) protocol allowed for the creation of a secure connection between client and server and saw an industry trend in moving towards SSL based VPNs (Shinder, 2010). Microsoft then introduced Secure Socket Tunnelling Protocol (SSTP) with Windows Server 2008, for use by clients who are running Windows Vista SP1 or later (Microsoft, 2011). SSTP is integrated in to the Routing and Remote Access (RRAS) and uses the successor to SSL, Transport Layer Security (TLS).

To circumnavigate firewalls and web proxies that can block PPTP and L2TP/IPSec, without requiring computer certificates or pre-shared keys, SSTP uses Hypertext Transfer Protocol Secure (HTTPS) protocol over Transmission Control Protocol (TCP) port 443 (Microsoft, 2011).

Microsoft (2011) SSTP uses Secure Sockets Layer (SSL) protocol (which is supported by the majority of web servers), to encapsulate PPP frames. As SSTP uses the same TCP port 443 as SSL then there is no need for administrators to open additional external firewall ports in the server.

For authentication purposes, SSTP uses certificates and as well as data encryption, provides integrity checking and enhanced key negotiation services (Microsoft, 2011).

Improvements on weaknesses present in PPTP and L2TP VPN technology led to the introduction of SSTP and it is now commonly felt to provide the most secure access to the internet (Purevpn, 2011).

SSTP operates at the application layer of the OSI model (REF, ????).

LINKS BETWEEN TUNNELLING PROTOCOLS AND OTHER PROTOCOLS

INTERNET PROTOCOL SECURITY (IPSec)

Working at layer 3 (network layer) of the OSI model (Morimoto, et. al., 2010), IPSec (Internet Protocol Security) provides standards which outline how to safeguard communications over IP networks via tools including data origin authentication and replay protection (Microsoft, 2003).

(Schäfer, 2000) states that IPSec can only be used for tunnelling IP protocols and does not support non-IP protocols.

As mentioned previously in the GRE section, there are some disadvantages associated with IPSec in relation to IP tunnels for Customer Premises Equipment (CPE). A complete web of tunnels would avoid high volumes of network traffic potentially overloading the system. However, there are associated costs in terms of key distribution, key management and peering configuration to set up such a system.

Service Providers commonly favour IPSec due to its in-built security capabilities. IPSec provides encryption which is used in conjunction with L2TP to provide security (Microsoft, 2011).

Providing a high standard of security via encryption and authentication, IPSec is now one of the most widely used network security technologies which provides major cost savings when connecting an organisations branch offices with remote users (Cisco, 2013).

IPSec is used in conjunction with L2TP and is referred to as L2TP/IPSec. This combination allows the encryption and transfer of multiprotocol traffic across any format which supports the delivery of point-to-point datagrams (Technet, 2009).

RFC 3193 (Aboba, et. al. 2001) disusses how IPSec can help to protect L2TP traffic across IP networks.

INTERNET KEY EXCHANGE PROTOCOL VERSION 2 (IKEV2)

Datagrams are encapsulated for network transmission in IKEv2 by using IPSec ESP or AH headers. A VPN with IKEv2 in use means that when clients move between wireless hotspots or switch to a wired connection, there is greater resilience built in to the system.

Only Windows 7 and Windows Server 2008 R2 operating systems support the use of IKEv2.

RFC 4306 (Kaufman, 2006) states that as an element of IPSec, IKEv2 is used to perform mutual authentication between parties and helps to provide security associations.

CONCLUSION

In conclusion, there are a range of tunnelling protocols available which allow the encapsulation and encryption of data for transfer between two points in a secure network environment, via a ‘tunnel’. Whilst not an exhaustive list, those protocols described here represent the main tunnelling methods in use.

Each protocol provides a different method of achieving the same aim; to transfer data from one end of the tunnel to the other in a secure, speedy and cost efficient manner without increasing network congestion.

It would appear that when a protocol has been in use for some time and issues have been identified for improvement, a new version or an entirely new protocol is created, refining the characteristics of previous incarnations. SSTP appears to provide the securest remote access connection across the internet.