The Reasons For Tunnelling Computer Science Essay

Published Date: 02 Nov 2017

Contents

Introduction

This report will outline the reasons why tunnelling is used and describe two of the most commonly used tunnelling protocols. This report aims to inform why they have been developed and why one might be preferred over the other.

In this report, I will be mainly focusing on

The main aim of this report is to present information on the following areas

Explain network tunnelling

Briefly describe the reasons for tunnelling

Explain two tunnelling protocols

Compare the strengths and weaknesses of the two tunnelling protocols

Network Tunneling

Tunnelling allows one network to send its data through another network's connections; for example the internet. Tunnels are used to create a safe and secure network connection between a private network and a remote host. This enables a remote user to gain access to resources on their private network.

It does this by using tunnelling protocols; this is where a packet based on one protocol is encapsulated in a second packet based on whatever protocol is needed in order for it to travel through the intermediary network. In effect the, the second wrapper ‘insulates’ the original packet and creates the illusion of a tunnel. Tunnelling technology can be implemented using a Layer 2 or Layer 3 tunnelling protocol.

In real life term, tunnelling is compared to ‘encapsulating’ a present (original packet) in a box (second wrapper) for delivery through the postal service.

Reasons for Tunnelling

PPTP eliminates the need for expensive, leased-line or private enterprise-dedicated communication

servers because you can use PPTP over PSTN lines. PPTP simplifies and reduces the cost of deploying an enterprise-wide, remote access solution for remote or mobile users because it provides secure and encrypted communications over public telephone lines and the Internet

Tunnelling Protocols

Point To Point Tunnelling Protocol

The Point to Point Tunneling Protocol (PPTP) is a protocol that is used to tunnel Point to Point Protocol (PPP) connections through an IP network, creating a Virtual Private Network (VPN)

PPTP was developed by PPTP Forum, This was a group of companies that included Microsoft; Ascend, US Robotics and. 3Com.PPTP is one of the most commonly implemented tunnelling protocols. This is mainly due to the fact that it’s supported by windows clients and it’s fairly simple to configure and maintain. PPTP has the capacity to provide on demand, multi protocol for VPNs utilizing public networks for instance, the Internet.

(King, 27/2/2013)

Authentication protocols

PPTP is an expansion of the Point-to-Point protocol (PPP) RFC 1661. PPTP works at the datalink layer of the OSI model. The authentication process used by PPTP is identical to PPP. PPP has four main authentication protocols which are:

Password Authentication Protocol (PAP) RFC1334 this allows for clear text authentication of a username and password. It is not a secure protocol due to the fact that if PAP packets are captured by a between server and remote clients, it would be possible to figure out remote user’s password. It also vulnerable to reply attacks.

Challenge Handshake Authentication Protocol (CHAP) RFC1994 is a more secure authentication protocol than PAP. It works by ensuring that both the server and user know the plain text of the secret, even though it’s never sent over the link. The process is carried out when the initial link is created and at regular intervals during the connection to verify the identity of the remote user. It’s also known as a three way handshake.

Microsoft Challenge Handshake Authentication Protocol (MS CHAP) RFC 2433. This is a Microsoft extension of CHAP. It follows the three way handshake method like CHAP.MS CHAP works by ensuring that the server stores a digital signature of the user instead of their password. This allows for greater level of security.

MS-CHAPv2. v2 RFC 2759 Microsoft developed an enhanced version of MS-CHAP. The encryption authentication process was revised, where each network device has to authenticate to each other. This method creates two unidirectional data pipes. Through these pipes a different encryption key is used for each connection between the devices.

There is no encryption with PPTP as it only establishes the tunnel. The encryption technology used by PPTP is Microsoft Point to Point Encryption (MPPE) protocol RFC 3078.MPPE uses RC4 algorithm and at the present time supports 40-bit, 56-bit and 128-bit session keys.

(Kory Hamzeh,Gurdeep Singh Pall,William Verthein,Jeff Taarud,W. Andrew Little,Glen Zorn, 1999-07) (Gurdeep Singh Pall and Glen Zorn, 2001-03)

PPTP has relatively low overhead, this making it faster than some other VPN methods.

Structure of a PPTP Packet Containing an IP Datagram

Structure of PPTP Packet Containing IP Datagram

There was security issues highlighted in PPTP these vulnerabilities have been rectified and you now can combine it with EAP to enhance it to require certificates.

One advantage of using PPTP is that there is no requirement for a certificate infrastructure. However EAP does use digital certificates for mutual authentication (both client and server) and higher security.

The PPTP consist of 3 main parts:

Control Connection which basically runs over the TCP (port 1723)

The main data packets which are encapsulated using GRE and routed through the IP tunnel

The main IP tunnel used for routing the packets which are encapsulated by GRE

How works: A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage as second GRE(generic routing encapsulation) tunnel to the same peer.

Layer 2 Tunnelling Protocol

Layer 2 Tunneling Protocol (L2TP) is a protocol used to tunnel data communications traffic between two sites over the Internet. L2TP is often used in tandem with IPSec (which acts as a security layer) to secure the transfer of L2TP data packets over the Internet. Unlike PPTP, a VPN implementation using L2TP/IPSec requires a shared key or the use of certificates.

The Layer 2 Tunnelling Protocol (L2TP) was developed in cooperation between Cisco and Microsoft to combine features of PPTP with those of Cisco’s proprietary Layer 2 Forwarding (L2F) protocol.L2TP (Layer Two Tunnelling Protocol) supports non-TCP/IP clients and protocols (such as Frame Relay, ATM and SONET).

L2TP does not provide any encryption or confidentiality by itself. It relies on an encryption protocol that it passes within the tunnel to provide privacy. Nowadays L2TP connections do not negotiate the use of PPP encryption through Microsoft Point-to-Point Encryption (MPPE). Instead, encryption is provided through the use of the Internet Protocol security (IPSec) Encapsulating Security Payload (ESP) header and trailer. It is also important to note that IPsec is more resource intensive than PPTP, hence the overhead with a L2TP solution is higher than PPTP.

Structure of an L2TP Packet Containing an IP Datagram

Structure of L2TP Packet Containing an IP Datagram

Port: 1701 UDP

User Authentication Protocol: EAP-TLS or MS-CHAP v2

* In addition to providing computer-level authentication, IPSec provides end-to-end encryption for data that passes between the sending and receiving nodes.

Encryption: IPSec

Encryption Strength: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3DES encryption algorithms

Strengths And Weaknesses Of PPTP and L2TP

Both PPTP and L2TP have advantages and disadvantages:

PPTP can only run on top of IP networks, whereas L2TP can use other protocols such as Internetwork Packet Exchange (IPX) and Systems Network Architecture (SNA).

PPTP does not support dial-in authentication protocols such as Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control Systems (TACACS+), whereas L2TP does.

PPTP is an encryption protocol, whereas L2TP is not, so it lacks security.

L2TP vs PPTP

L2TP/IPSec and PPTP are similar in the following ways:

provide a logical transport mechanism to send PPP payloads;

provide tunneling or encapsulation so that PPP payloads based on any protocol can be sent across an IP network;

rely on the PPP connection process to perform user authentication and protocol configuration.

Some facts about PPTP:

+ PPTP easy to deploy

+ PPTP use TCP, this reliable solution allow to retransmit lost packets

+ PPTP support

– PPTP less secure with MPPE(up to 128 bit)

– data encryption begins after the PPP connection process (and, therefore, PPP authentication) is completed

– PPTP connections require only user-level authentication through a PPP-based authentication protocol

Some facts about L2TP(over IPsec):

+ L2TP/IPSec data encryption begins before the PPP connection process

+ L2TP/IPSec connections use the AES(up to 256bit) or DESUup to three 56-bit keys)

+ L2TP/IPSec connections provide stronger authentication by requiring both computer-level authentication through certificates and user-level authentication through a PPP authentication protocol

+ L2TP use UDP. It is a faster, but less reliable, because it does not retransmit lost packets, is commonly used in real-time Internet communications

+ L2TP more "firewall friendly" than PPTP — a crucial advantage for an extranet protocol due to most firewalls do not support GRE

– L2TP require certificate infrastructure for issuing computer certificates

There’s no clear winner, but PPTP is older, more light-weight, works in most cases and clients are readily pre-installed, giving it an advantage in normally being very easy to deploy and configure (without EAP).

.

Advantages & Disadvantages

A VPN is a inexpensive effective way of building a private network. The use of the Internet as the main communications channel between sites is a cost effective alternative to expensive leased private lines. The costs to a corporation include the network authentication hardware and software used to authenticate users and any additional mechanisms such as authentication tokens or other secure devices. The relative ease, speed, and flexibility of VPN provisioning in comparison to leased lines makes VPNs an ideal choice for corporations who require flexibility. For example, a company can adjust the number of sites in the VPN according to changing requirements.

There are several potential disadvantages with VPN use. The lack of Quality of Service (QoS) management over the Internet can cause packet loss and other performance issues. Adverse network conditions that occur outside of the private network is beyond the control of the VPN administrator. For this reason, many large corporations pay for the use of trusted VPNs that use a private network to guarantee QoS. Vendor interoperability is another potential disadvantage as VPN technologies from one vendor may not be compatible with VPN technologies from another vendor. Neither of these disadvantages have prevented the widespread acceptance and deployment of VPN technology.