The History Of The Tunnelling Protocols

Published Date: 02 Nov 2017

NETWORK DESIGN COMP09022

TUNNELLING PROTOCOLS

B00236385

Table of Contents

Introduction

This report will discuss the subject of tunnelling protocols. The report will inform the reader on different topics on the subject such as what tunnelling is, why tunnelling is used and different types of tunnelling protocols. The protocols described in this report will also be compared to one another by the advantages and disadvantages of the protocol and from this will give a clear understanding on why one might be chosen over the other. The report will also briefly include what relation other protocols have in terms of tunnelling protocols.

What is tunnelling and why do we use it?

Tunnelling basically creates and uses a secure link over an unsecure network by enabling the encapsulation of a packet of one protocol with the datagram of a different protocol. It involves three different types of protocols which are the carrier protocol, this is used by the network in which the data is transmitted over this for example could be IP, an encapsulating protocol that provides the datagram and finally the passenger protocol that contains the original packet (Rackley, 2011). The technology of tunnelling is usually based on layer 2 or layer 3 of the OSI model, layer 2 being the data link layer and layer 3 being the network layer, most if not all protocols fall under these two layers, refer to figure 1.1. (Barry D. Lewis, 2004)

Figure 1.1 OSI Model (Verma, 2012)

The development of tunnelling protocols was to create security between connected systems so the channels it uses is secure and private. Most tunnelling protocols use encryption which allows for data to be sent securely, this can include sending private addresses of a public network. Tunnelling protocols secure the data by using different techniques of encryption and it is commonly used for VPN (Virtual Private Network) connections.

Tunnelling Protocols

Generic Routing Encapsulation (GRE)

Generic Routing Encapsulation (GRE) was originally developed as a tunnelling tool which was supposed to carry any OSI layer 3 protocols over an IP network; basically it creates a private point-to-point connection, which is very similar to VPN. The GRE protocol encapsulates packets so it can route other protocols over IP networks. As GRE is a routing protocol and it works by encapsulating, it encapsulates a payload which is the inner packet being delivered to its destination. There are many advantages to using GRE it can transport multicast and IPv6 between networks, it can encase multiple protocols over a single protocol, it provides workarounds for networks with limited hops, connects discontinuous sub-networks and can also allow VPNs across WANS (Wide Area Networks). Although there are many advantages of GRE it is not widely used due to it being an unsecure protocol as it doesn’t encrypt the data unlike IPSec (IP Security). (Tessa Parmenter, 2011)

Although GRE isn’t very secure to use there are a few reasons why it would be used. The reasons for using GRE are that it is simple and flexible and there are also useful features that GRE provides that could come in handy if it is used. As mentioned above GRE can carry multiple protocols and it can also route protocols that might be considered non routable such as IPX or AppleTalk through an IP network. Finally it is very easy to debug due to its lack of security, because it doesn’t use encryption or authentication it means pinging through the tunnel or to the destination addresses simplifies the verification of connectivity instead of having to go through the hassle of authentication and encryption. (Kevin Dooley, 2008)

Point to Point Tunnelling Protocol (PPTP)

PPTP is an extension of the PPP (Point to Point Protocol) protocol by Microsoft which is an established standard used to set up a WAN link over a remote access connection (Shinder D. L., 2001). PPTP is part of Microsoft’s Windows operating systems and it is one of the most deployed tunnelling protocols which are also supported on other devices from different manufacturers. Apart from the fact it is supported on other devices rather than just its own Microsoft, it can also support other protocols other than the TCP/IP. Unlike GRE PTTP uses encryption so it has the ability to encrypt IP traffic and then encapsulate it in an IP header which is then sent across a public IP network for example the internet. PPTP uses the PPP protocol for encryption. (Ciampa, 2008)

Figure 1.2 PPTP (Ciampa, 2008)

The diagram above shows the connection of a PPTP protocol, so from the diagram above you can see there is a client machine, a Network Access Server (NAS) a PPTP server, a PPP connection between the client and the NAS, a PPTP connection between the client and the PPTP server, the internet and at the end a remote network. Basically how this is working is the client connects to the NAS via a cable modem, DSL, or dial up to be able to connect to one another, then once this connection is up and running another connection will progress from the NAS to the PPTP server which will go through the internet or unsecure network. This then creates the PPTP connection which allows communication between the client and the PPTP server using a TCP port. (Ciampa, 2008)

Although PPTP is already an extended version of PPP there is also another extension of the PPTP protocol which is the LCP (Link Control Protocol). The LCP’s job is to set up, configure and automatically test the connection. (Ciampa, 2008)

Reasons for using PPTP is that it’s easy to configure and this is the main reason it became so popular and it was also the first VPN protocol that was support by Microsoft Dial-IP Networking. From Windows 95 onwards all Microsoft OS’s have a PPTP client and also on Linux, MAC OS X. (Ciampa, 2008)

Secure Socket Tunnelling Protocol (SSTP)

SSTP is the newest of the tunnelling protocols to date which is available as a feature in Windows Server 2008, Vista SP1 and above. SSTP allows the creation of a VPN connection from a remote access client. SSTP clients work by tunnelling through NAT (Network Address Translation) routers, firewalls and proxies to a remote access server and RRAS (Remote and Routing Access Service) server (Sosinsky, 2008). SSTP works by encapsulating the PPP packets and transmits them over a HTTP connection and this allows devices such as NAT or firewalls as mentioned above to be able to set up a VPN connection much more easily (Panek, 2010). HTTPS is the transport layer for SSTP to make the traffic appear as if it is regular secure web traffic over HTTP (port 80) or HTTPS (port 443).

Figure 1.3 SSTP (Sosinsky, 2008)

The diagram above shows the architecture of a SSTP packet that has been encapsulated and is used by a SSTP VPN connection.

So as you can see the header information includes the IPv4/IPv6 and TCP packets, these are the packets that are encapsulated first using a Point-to-Point Protocol followed by the SSTP header. SSTP is highlighted under the SSL encrypted part which shows it has been encrypted here and it is encrypted using public and private certificate keys. After the encryption of the SSTP header it moves onto the TCP header and IPv4/IPv6 and adds them to get the targeting information for the packet from client to server. (Sosinsky, 2008)

The SSTP server must have a certificate for Server Authentication Enhanced Key Usage (EKU) to be able to work correctly. It also needs an EKU for the when an SSL session is connected as the EKU authenticates the server to the client and the client then validates the server certificate with certificate authority (CA), however it must have the root certificate of the CA installed to be able to validate the server certificate.

Figure 1.4 EKU (Shinder T. , 2009)

The connection of SSTP is a VPN tunnel and it acts as a peer-to-Layer 2 Tunnelling Protocol and PPTP VPN tunnel. The traffic of a PPP protocol is encapsulated by SSTP is then framed to be compatible with HTTPS traffic. The encapsulation plays a big part in making sure that HTTPS traffic can still be treated like a VPN tunnel, can still have policies applied to it such as NAP (Network Access Protection), it can still be run as IPv6 traffic however this only applies if it is required and also to make sure it can still be compatible with different authentication methods that is needed by VPN clients this for example could be logons, smart cards and connection managers. (Sosinsky, 2008)

As SSTP is the newest protocol you would imagine it would be the best and you would probably be right. The advantages of using SSTP is that it is a very flexible protocol, it’s also reliable and for the job it does it makes it very cost efficient as well, therefore if you are using an extremely expensive VPN solution such as Cisco, you now have the option of using SSTP as it is just as reliable and secure without it costing an absolute fortune (Shinder T. W., 2009). Therefore SSTP is considered as the best option for securing a VPN connection.

Comparison of GRE PPTP and SSTP

Choosing tunnelling protocols will always fizzle down to how secure they are, how reliable they are, the flexibility of the protocol, what platforms it is available on etc. These are the things that will be thought about to select an appropriate protocol to use.

GRE is the eldest of the protocols described above but yet people still consider it an option as it has easy configuration and is also very flexible. It can also provide for multi-protocol networks over a single protocol backbone. Although it does make things easier for the user in terms of debugging and configuring it does have one slight disadvantage, which is security. Unlike PPTP and SSTP, GRE provides no security what so ever and in today’s society security is considered as vitally important.

PPTP is actually the most deployed tunnelling protocol as mentioned earlier, it may have slight similarities with GRE such as being easy to configure and support other protocols other than its own, however it is moderately secure which is why it may be the most deployed tunnelling protocol, it provides encryption of its data unlike GRE which didn’t use any kind of encryption or authentication.

SSTP is considered the best option for a VPN connection as it tops both PPTP and GRE in security because it uses both authentication and encryption making it very secure. Again quite similar to both GRE and PPTP on its ability as it is able to support multiple TCP ports. More overhead is required if using SSTP because of its strong security and this is why SSTP is considered more reliable and flexible rather than having the simplicity of configuration and use as GRE and PPTP do. It is also only available if you have Windows Server 2008 or above and Windows Vista SP1 and above therefore it is quite restricted on the compatibility side of things, whereas PPTP is available from Windows 95 onwards.

If security is what is required then SSTP is definitely the way to go but if security isn’t a huge concern then sticking with PPTP might be advisable to go for as it doesn’t require as much overhead as SSTP and is easily configured.

Links between tunnelling protocols and other protocols

IPsec (IP Security)

IPsec is a method of security to protect data sent between two computers on an IP network. IPsec is not restricted to being Windows only it is actually based on the standards developed by the IETF (Internet Engineering Task Force) and is also defined under RFC 2401 (Atkinson, 1998).

IPsec provides a set of security services which include data authentication, data origin authentication, data integrity, anti-replay protection and of course encryption.

Overlay VPNs can support IP multicast when both GRE and IPsec are used. When GRE tunnelling joins together with IPsec a secure tunnel can be created to support unicast, broadcast and multicast traffic between the two points, but this is only when IPsec is combined with a GRE tunnel. (Tiso, 2011)

LCP (Link Control Protocol)

LCP was briefly mentioned earlier in the report as working with PPP/PPTP. LCP has a vast amount of responsibility towards PPP it looks after the whole operation and supervises the tasks of other protocols, so basically LCP rules PPP. LCP controls links and with each link there are three stages which LCP plays a vital part in. The first part is the Link Configuration which is the process of establishing and negotiating the parameters of a link, the second part is Link Maintenance this is just basically managing an opened link and finally the Link Termination, this is exactly how it sounds it closes the current link when it is no longer required. (Kozierok, 2005)

Conclusion

To conclude there are many protocols out there to use which allow data transfer using a secure link. The protocols listed and described are some of the more known protocols or more commonly used protocols which have basically been developed for a purpose and over the years get increasingly better whether it be increased security or for the fact it is easy to use and configure, these are always factors that are put into consideration when choosing the best protocol for your network. Where VPN is concerned SSTP is the best choice by far for its advanced security.