The General Routing Encapsulation

Published Date: 02 Nov 2017

Network Design

B00240949

Introduction

The purpose of this report is to discuss, investigate and compare solutions to a particular networking problem. This report will first focus on defining what tunnelling is and the reason why it’s used. Secondly will describe a number of standardised tunnelling protocols, explain why they have been developed, and describe their relative strengths, weakness and circumstances in which one protocol is preferred than others, and then mention other protocols that are closely related to each other.

Tunnelling

Tunnelling is defined as a method that allows one network to transfer its data over another network securely. Tunnelling protocol is used by computer network when the delivery protocol encapsulates incompatible payload protocol at the same or lower OSI layer. It’s known as a tunnel because "pushes through" packets of different types. Tunnelling protocol is also known as "encapsulating protocol" because many network protocols perform encapsulation. Tunnelling is based on layer 2 and layer 3 e.g. general routing encapsulation(GRE) and IPSec are layer 3 protocol and point to point tunnelling protocol (PPTP) and layer 2 tunnelling protocol (L2TP) are well known as layer 2 protocols.

Purpose

Tunnelling is used as the best solution to a wide variety of computer networking problems .Tunnelling is used to transfer payload over an incompatible delivery network hence provides a safe pass through to untrusted network. Tunnelling protocol provides data encryption which is used to send unprotected payload protocols over a public network e.g. internet, therefore providing functionality of the VPN. Tunnelling protocol also preserves integrity and confidentiality of data that is being sent across untrusted network.

Tunnelling protocols

There are 4 common types of tunnelling protocols:

Layer 2 Tunnelling Protocol (L2TP)

Point-to-Point Tunnelling Protocol (PPTP)

General Routing Encapsulation (GRE)

Internet Protocol Security (IPSec)

Layer 2 Tunnelling Protocols

L2TP is an IETF (RFC 2661) protocol, which enables remote users to access the corporate network. L2TP packet, payload and L2TP header are transferred within User Data Protocol (UDP); UDP is transparent to higher level protocols. Usually PPP session is carried within L2TP tunnel. IP packets are encapsulated by PPP from user’s pc to ISP, and then L2TP expands it across the internet, which enables ISPs to operate VPNs (Virtual Private Networks). L2TP doesn’t provide authentication, confidentiality and integrity by itself; it relies on IPSec which provides security (L2TP/IPSec). L2TP is combined of PPTP from Microsoft and L2F (Layer 2 Forwarding) from Cisco systems.

There some elements that take part in L2TP tunnelling protocol; LAC (L2TP access concentrator), LNS (L2TP network server) and NAS (Network Access Services).Tunnel is established between LAC and LNS, once it is established the network traffic is bidirectional.L2TP session and tunnels are established as follows; PPP connections are initiated by a remote user to the NAS, and then the NAS accepts the call. Authorization server to the NAS provides the end user authentication .The LAC is caused by the end user’s attempt to begin a connection with the LNS for building a tunnel at the edge of the corporate network. Every end-to-end attempt to start a connection is managed by the LAC with a session call. The datagram are sent within the LAC LNS tunnel. Every LAC and LNS device keeps track of the connected user’s status. Authentication server also authenticates the remote user of the LNS gateway before accepting the tunnel connection, then the LNS accepts the call and builds up a L2TP tunnel. The NAS accepts the call, and then the LNS trade the PPP negotiation with the remote user. Therefore end-to-end data is tunnelled between the remote user and the LNS.

General Routing Encapsulation

This tunnelling protocol (RFC 1701) is designed by Cisco that encapsulates different types of network layer protocol inside IP packets for VPNs e.g. PPTP is based on GRE. This is necessary because the encapsulated packet is performed by encryption. GRE doesn’t only encrypt data in the packet but the entire packet and the routing information is encrypted. However, GRE doesn’t provide encryption by itself it relies on IPSec to provide encryption. GRE also uses IPSec to send routing protocol data from one router to another.

GRE Packet has to be encapsulated and routed. GRE packet encapsulates the payload, which includes a route. As cited in IETF "The resulting GRE packet can then be encapsulated in some other protocol and then forwarded". GRE tunnelling uses the whole packet as its payload and then adds a GRE header. Forwarding GRE encapsulated packets will not be different from other GRE packets from other packets. When GRE is received, the receiver has to determine that it is a GRE packet. Once it’s determined the key, sequence number and checksum fields are checked, if the routing bit is set to 1 the address field is checked to determine the semantics and use of SRE length, SRE offset and routing information fields. Once the source route is complete, the GRE header is removed and the payload packet is forwarded as a normal packet.

Point-to-Point Tunnelling Protocol.

This tunnelling protocol (RFC 2637) is designed by Microsoft to enable data to be transferred securely from remote client to an enterprise server by implementing VPNs across TCP/IP. It works at data link layer of the OSI model. It doesn’t support multipoint connections; it supports connections that are point-to-point, for example IP, IPX, NetBEUI and NetBIOS. PPTP encapsulates any type of network protocols and transports them to IP. If IP is an original protocol, IP packets are run as encrypted message within PPTP packets running over IP.

PPTP is an extension of PPP (Point-to-Point) protocol and GRE (general routing protocol). Since it’s from Microsoft it provides encryption via RC4-based Microsoft Point-to-Point encryption (MPPE).PPTP is authenticated by EAP-TLS or MSCHAP-V2. PPTP has been replaced by implementations of L2TP; however some customers are still solving PPTP problems.

Internet Protocol Security (IPSec)

IPSec is an IETF standard protocol, designed for security of the IP. It works at layer 3 and everything in the network is secured. IPSec protects data transferred between two hosts, two security gateways or between a gateway and a host. Unlike security systems, IPSec can also be used in applications that don’t use it. "At the start of a session, IPSec allows agents to establish mutual authentication and agreement of cryptographic keys that are to be used during the session" (Imelda M, 11th July 2011).

Both IPv4 and IPv6 support IPSec. IPSec is designed for IP protocol; therefore it has a wide industry support for VPNs over internet. IPSec authentication, data integrity and replay protection, secure creation and automation refresh of cryptographic keys. To provide security IPSec uses strong cryptographic algorithms. It provides authentication based on certificate. IPSec also provides security for L2TP and PPTP.

It uses authentication header (AH) and Encapsulation security payload (ESP) to perform several operations. AH provides data integrity and authentication and protect against replay attacks. ESP provides origin authenticity, integrity and confidentiality; it supports both authentication of sender and encryption of data. "The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. Separate key protocols can be selected, such as the ISAKMP/Oakley protocol" (Margaret Rouse, November 2010).

L2TP/IPSEC

L2TP is combined with IPSec (RFC 3193) to provide encryption. L2TP over IPSec is the strongest protocol.L2TP can be secured with IPSec by using a direct L2TP over IP encapsulation or UDP/IP encapsulation which makes it easy for NAT traversal. IKE is used by L2TP/IPSec by default. It uses ESP SA in either tunnel mode (support is optional) or transport mode (support is needed).

SA (security Association) is used to protect L2TP traffic, which establishes the layer 2 tunnel. Since L2TP/IPSec is a combination of two protocols which are involved in authentication, it uses two distinct authentication procedures, one for the user with username and password and another for the machine that using IPSec with certificates or pre shared keys.L2TP/IPSec is supported on modern platforms. For example on windows, L2TP/IPSec can be enabled when creating a new connection with the "connect to a workplace" option.

Differences between L2TP and PPTP.

L2TP combines the best features of PPTP and L2F (Layer 2 Forwarding) developed by Cisco while PPTP is designed by Microsoft. L2TP combines PPTP data channels and control, as its run by a faster transport layer UDP (User Data Protocol), therefore L2TP is known to be more firewall friendly than PPTP since GRE is not supported.

PPTP uses TCP and a modified version of General routing encapsulation (GRE) while L2TP uses UDP and can be used over ATM, X.25 and Frame Relay.

When security is a major concern, L2TP is a suitable option as it needs certificate unlike PPTP. "Because of this, bodies responsible for standardization are inclined towards on L2TP" (Ian, 27th July 2011). L2TP is more secure; however it tends to be more complicated than PPTP.

PPTP is easy to use and set-up, however it terms of efficiency and functionality it’s defeated by L2TP. PPTP is old but still found to be more practical and popular since it is developed by Microsoft.

Control and stream data in PPTP are separated; control data are run over TCP and stream data are run over GRE while L2TP transports both streams together.

Encryption in PPTP is provided by MPPE while L2TP uses IPSec to provide encryption known as L2TP/IPSec.

In general both protocols are useful, hence circumstances in which one might be preferred depends on user’s requirements. L2TP is a better option when security is a priority. For attainable access as well, it would be more possible. However, when it comes to speed PPTP is better as it is low on encryption and hence accompanies less overhead.

Conclusion.

When deciding the best solution to particular network problems, tunnelling is recommended. Tunnelling is the encapsulation of data packets in a new protocol format packet. The success of network configuring regarding functionality, security, scalability and performance depends on tunnelling protocol chosen. L2TP is a good replacement of PPTP and a combination of L2F and PPTP. However L2TP doesn’t provide encryption, authentication and data integrity by itself, it relies on IPSec which is known as L2TP/IPSec .It is recommended to use L2TP/IPSEC as it is the strongest protocol that provides encryption. PPTP is known as the weakest protocol when it comes to security and less implemented these days but easier to use and setup. IPSec is mostly used for security; it can provide authentication, data integrity, encryption and relay protection. When multiple protocols are needed GRE is a good protocol to add to selected tunnelling protocols. When designing technologies it is recommended to avoid multi vendors due to possible incompatibilities.