The Point To Point Tunnelling Protocol

Published Date: 02 Nov 2017

Tunnelling Report

Abstract

Tunnelling is a technology that enables a network to send data via another network’s connection. This report will outline what tunnelling is and why it’s used, some of the protocols that it implements, as well as outlining their relative strengths and weaknesses.

Introduction

Tunnelling is the secure movement of data from one network to another and involves allowing private network traffic to be sent across a public network, such as the Internet. As packets travel through the tunnel they are encrypted using a process called encapsulation. The encapsulation process allows for data packets to appear as though they are of a public nature to a public network when they are actually private data packets, allowing them to pass through unnoticed. Data is broken into small pieces called packets as they move along the tunnel for transport. As the packets move through the tunnel, the encapsulation process occurs to encrypt the data. The private network data and the protocol information that goes with it are encapsulated in public network transmission units for sending. These units look like public data, allowing them to be transmitted across the Internet. The data is encapsulated with protocol information at each OSI reference model layer when a host transmits data to another device across a network. Each layer communicates with its neighbour layer on the destination and each layer uses Protocol Data Units (PDUs) to communicate and exchange information.

Why Use Tunnelling?

Tunnelling is a way for communication to be conducted over a private network whilst being tunnelled through a public network. This is particularly useful in the corporate environment, offering security features such as encryption options. The other main advantage of tunnelling is it can send unsupported protocols through many different kinds of networks. The data that gets ‘tunnelled’ adds to the size of a packet which results in less data being transferred per packet, which has clear bandwidth benefits.

Tunnelling Protocols

There are several protocols that can be used specifically with VPN tunnels, below you will find three of the most common protocols used with a brief description of their capabilities. These protocols are generally incompatible with each other.

Point-to-Point Tunnelling Protocol (PPTP)

This protocol keeps proprietary data secure even when it is being sent over public networks. Authorized users are able to access a private network called a virtual private network that is provided by your Internet service provider. This is a private network in the "virtual" sense because it’s being created in a tunnelled environment

Advantages of the PPTP are that it’s widely available and easy to set up. One major advantage for small companies is that PPTP is much more cost effective and doesn’t require the same amount of special hardware as other protocols do. The protocol requires very little bandwidth to operate which means more users can have a connection without a slowdown of transmission. PPTP supports a variety of security measures including authentication, encryption and the ability to filter packets. The protocols one major disadvantage is that connections can be vulnerable to attack or hijacking due to the control messages that it sends not being encrypted. Security is the main disadvantages of this protocol and it remains one of the weakest of the virtual private network (VPN) protocols. There are other protocols like L2P and ipsec, but these are not as user-friendly or cost efficient.

Layer Two Tunnelling (L2TP) Protocol

Layer Two Tunnelling Protocol developed by cisco and is an extension of the Point-to-Point protocol (PPTP) that enables ISP’s to provide a virtual private network (VPN) operation over the internet. As the name suggests, this protocol operates in Layer 2 of the OSI reference model. The protocol merges the best features from the PPTP protocol that was developed by Microsoft and the L2F protocol that was also developed by cisco. PPTP and L2F give you the ability to use any authentication method that you would normally use with PPP, including PAP and CHAP, I.E whatever authentication protocols both the client and server support. The L2TP gives you the best features of PPTP and L2F connections. You can use L2TP in situations where you may use the PPTP or L2F protocols and have the ability to use the same authentication protocols as the others, which again include PAP, CHAP, and MS-CHAP. IPSEC is the protocol recommended for encryption for L2TP. L2TP gives you 168 bit encryption and requires two levels of authentication which makes it more powerful than PPTP which uses 128 bit encryption.

As previously mentioned one advantage of L2TP is that it uses IPsec to get 168 bit encryption which not only provides great encryption of data it gives you more security benefits over PPTP. L2TP offers data integrity and data origin authentication. One other big advantage the protocol has is the use of UDP for data encapsulation, making it faster and easier to setup with firewalls. L2TP encapsulates data twice, which can give the protocol a slight disadvantage in speed. The main disadvantage is that it takes a lot of configuration to set up, including computer certificates. If you are using Microsoft server 2008 or Vista then you may be required to go into the registry to make changes before you can use L2TP, depending on how your networks Network Address Translation is set up.

Generic Routing Protocol (GRE)

The GRE protocol, developed by Cisco, encapsulates packets so they can route other protocols through IP networks. Essentially, GRE gives you a private point to point connection like a virtual private network. GRE encapsulates a payload (An inner packet that needs delivered to a network inside an outer IP packet). The Tunnelling endpoints send the payload along GRE tunnels by routing the packets through IP networks. Routers along the network path do not analyse the inner packet, just the outer packet as it gets forwarded towards the tunnel endpoint. Once the packet reaches its destination, GRE encapsulation is removed and the payload gets forwarded to its final destination.

GRE tunnelling can handle multicast and IPv6 data between networks. Here are a few other advantages the protocol has:

Multiple protocols can be encased over a single protocol backbone

Workarounds for networks with limited hops

Allows VPN’s across WAN (Wide area network)

The GRE protocols main disadvantage is security. The protocol is not considered to be secure, as it does not implement encryption.

Secure Socket Tunnelling Protocol (SSTP)

In terms of security, SSTP is undoubtedly the best VPN tunnelling protocol. SSTP uses port 443, the same as Secure Socket Layer (SSL) transmissions. This protocol has improved on some of the weaknesses the PPTP and the L2TP protocols have. The protocol can allow users to bypass security features such as firewalls and web proxies without having to worry about port blocking. The protocol is by definition an application layer protocol. It was designed to deliver a synchronous communication between two programs. SSTP allows for many application endpoints over a single network connection which enables efficient usage of communication resources to that network. As well as being a great protocol for users who face privacy and security issues the protocol can even access blocked sites in countries where internet censoring is a state policy. SSTP basically works using https sessions. For a government to block this kind of connection they would also be required to block thousands of giant websites, all of whom run https. This is why you don’t have to worry about data being blocked using SSTP VPN.

SSTP has some clear advantages, but there is one major disadvantage. The protocol was created by Microsoft and only works on Windows Vista and Windows 7. As the protocol is proprietary to Microsoft, there are no plans for it to work on MAC, Linux and even older versions of Windows.

Point-to-Point Protocol (PPP)

This protocol is used for communication between two computers using a serial interface. This is typically a PC connected to a server via a phone line. Your ISP could provide you with a PPP connection so that their server can respond to your requests that will then pass them onto the internet and forward the internet responses back to you using the Internet Service Protocol (IP). "PPP provides layer 2 (data-link layer) services. Essentially, it packages your computer's TCP/IP  packets and forwards them to the server where they can actually be put on the Internet." http://www.worldnet-long-distance.com/advantages-pptp/. PPP works by sending request packets and waits for acknowledgments that are either accepted or rejected. The protocol also performs the following tasks:

Checks the quality of the phone line

Checks for user authentication

Provides the end user with an IP address

Acknowledge one part that the other is closing the connection

One major advantage to this protocol is that it provides error checking to make sure frames are sent and received. The protocol also supports authentication. This is used to confirm the identity of users or equipment at both ends of the connection.

http://www.neilstoolbox.com/bibliography-creator/

Sources

Cisco. "How Virtual Private Networks Work." Oct. 13, 2008. (April 4, 2011)http://www.cisco.com/application/pdf/paws/14106/how_vpn_works.pdf

Friedl, Stephen J. "Steve Friedl's Unixwiz.net Tech Tips: An Illustrated Guide to IPSec." Aug. 24, 2005. (April 4, 2011)http://www.unixwiz.net/techtips/iguide-ipsec.html

Microsoft. "TechNect: VPN Tunneling Protocols." 2011. (April 3, 2011)http://technet.microsoft.com/en-us/library/cc771298(WS.10).aspx

Pandya, Hiten M. "FreeBSD Handbook: Understanding IPSec." The FreeBSD Documentation Project. (April 4, 2011)http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html