The Role Of Tunnelling Protocols

Published Date: 02 Nov 2017

Tunnelling Protocols

Report Document

University of the West of Scotland

B00236534

The purpose of this report to offer the reader an overview on why tunnelling protocols have been developed and used within the computer networking communications environment. The task is to identify types of protocols and clarify why they are in use.

Introduction

Tunnelling protocols are widely used within computer networking and it is merely a method for the transportation and delivery of secure data. The actual tunnelling process is to basically encapsulate protocols, within separate protocols, or delivery protocols, and it simply serves as a secure point-to-point passage across the network infrastructure, all networks use tunnelling protocols in some form or another and there are three main entities involved in this process; a delivery protocol, a protocol to encapsulate the payload and the actual data.

The Role of Tunnelling Protocols

Constant development of tunnelling protocols is a necessity in today’s networking environment and is an on-going process, there are various reasons to use the tunnelling process in networking, such as sending unsupported or non-routable protocols, like NetBEUI, but it can also be used for transporting older protocols such as IPX, which is routable and can still be used to support legacy applications within a network, but to build specific IPX support into the routing core is time wasting and expensive, so tunnelling solves this situation.

Lab environments require tunnelling techniques such as imitating a different topology or network approach where it would be essential to tunnel test data over a company or production network to ensure any glitches or complications can be addressed, this will be especially useful during the transition to IPv6; To expand on IPv6, it will also be essential here to use tunnelling for communication between isolated IPv6 networks over IPv4 infrastructures. Tunnelling can be implemented to solve architectural problems within your network, especially with dynamic routing protocols, such as OSPF, where it is possible to create virtual links between routers, which offers a solution, when trying to connect fragmented area’s within your network.

Virtual Private Network (VPN)

With businesses continually expanding globally this has created the a common need for tunnelling protocols, as it has become a necessity to allow the user access to resources, in private networks, from remote locations and VPN tunnelling makes this possible. There are certain types of VPN tunnelling technology to consider for any business, including, Voluntary tunnelling, where the client is relied upon to set-up and manage the VPN connection, and Compulsory tunnelling, which leaves the VPN service provider to configure the set-up process, and to maintain security. There are prominent protocols used for connection, which allows a VPN session to begin and continue, these can include PPTP, L2TP, IPsec and SSTP as examples, and although many of the separate protocols have incompatibilities, it is possible to layer certain types to produce connection flexibility and improved security for the delivery of data.

Types of Tunnelling Protocols

Generic Routing Encapsulation (GRE)

GRE is a tunnelling protocol which involves encapsulating a packet with the intention of routing a payload packet over an IP network which results in a point-to-point connection at layer 3 or the network layer of the OSI model. Generic routing encapsulation essentially wraps the payload in a delivery IP packet with all routers on its journey analyzing the outer IP packet and when arriving at the end point the generic routing encapsulation packet is removed and the payload progresses to its intended destination.

Point-to-Point Tunnelling Protocol (PPTP)

The point-to-point tunneling protocol has evolved from earlier protocols such as GRE and Point-to-Point (PPP), and was developed for the remote user to gain secure access to a private network via the internet. It functions by encapsulating IP packets within a GRE header, and an added IP header to provide the source - destination addresses, it then utilises the PPP protocol encryption method for a level of security. The process involved for PPTP is based on the PPTP client connecting to a Network Access Server (NAS), once connection has been established, the NAS will connect to a PPTP server via an unsecured network, probably the Internet, and this creates the tunnel for communication between the client and the PPTP server on TCP port 1723.

L2TP/IPsec

Layer Two Tunnelling Protocol (L2TP)

This protocol is an updated product from two previous tunnelling protocols known as Point-to-Point Tunnelling (PPTP) and Layer 2 Forwarding (L2F) where the advantages of both protocols are combined to produce a separate individual protocol in its own right. L2TP is used within the Virtual Private Network (VPN); enabling remote users to securely access a private network using tunnelling techniques, to produce security, encapsulation is created in two layers , the first layer uses an IP datagram such as PPTP with an L2TP and a User Datagram Protocol (UDP) header also added to the datagram , and the second layer , uses certain security protocols, such as IPsecurity (IPsec); which is often used for the security of L2TP packets; and by all protocols forming a relationship makes for an improved form of communication with IPsec offering authentication and encryption for the packets.

Internet Protocol Security (IPsec)

IPsec is both a security and encapsulation protocol and protects Internet protocol (IP) packets using authentication and encryption at the network level it can operate in two separate modes: transport and tunnel mode. When using transport mode it secures all deliveries from the transport layer to the network layer only, but the tunnel mode, which is used for securing the full IP packet, works by encapsulating a the full packet then adding an extra IP header with security information such as an Authentication Header (AH) or Encapsulating Security Payload (ESP).

SSTP/ SSL/ TLS

Secure Socket Tunnelling Protocol (SSTP)

SSTP utilises the HTTPs’ protocol for data transfer and is one of the latest protocols in use, it is considered by many to be the most secure for VPN connections. This protocol encapsulates only point-to- point traffic and is used to transport data-link frames on a Hypertext Transfer Protocol (HTTP) over Secure Sockets Layer (SSL), resulting in an (HTTPS) connection. To obtain a VPN connection through SSTP/SSL involves:

The SSTP client establishing a TCP connection to the SSTP server, asking to begin an SSL session with the server.

The client will then receive a computer certificate from the server for validation.

The computer certificate is validated and the client generates the SSL session key and uses encryption to send both SSL key and the public key from the computer certificate back to the server.

The server decrypts the SSL session key with the private key from the computer certificate, and all resulting communication and encryption methods being determined.

Client sends an HTTP request to the server to negotiate the SSTP tunnel link.

The authenticated Point-to-Point connection is established.

Communication begins, and the client can now start sending data over the Point-to-Point link.

SSTP creates an encrypted tunnel by using the SSL protocol, with SSL accommodating authentication techniques and security essentials such as encryption and packet Integrity, with both protocols working in tandem produces a secure way to transport and deliver data.

Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

The aim for SSL is to produce private and reliable communication and is still widely used, but technology always moves forward and this has resulted in a successor to SSL, known as Transport Layer Security (TLS). Both protocols are very similar, but TLS is a progression of the SSL protocol, and minor technical differences have occurred , such as TLS uses stronger encryption and it is capable of working on different ports, from SSL, which uses TCP port (443), but both have the same objective, as both are Client to Server encryption protocols which use a form of key exchange for encryption, and authentication coding to produce data integrity, "The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications" (Dierks, 2008).Two layers make up this protocol called the TLS Record Protocol, which negotiates a reliable communication link, and the TLS Handshake Protocol which allows communication to commence, also applying, authentication and encryption.

Conclusion

When choosing between protocols many factors must be considered because although the newer protocols are the usually the most proficient, the protocols which are becoming outdated cannot be totally abandoned due to older technology still in use. All tunnelling protocols have both advantages and drawbacks

Advantages

The advantages of this protocol are that it can tunnel over wide area networks and generic routing encapsulation will allow multicast traffic through the tunnel and it supports dynamic routing but it does offer advantages such as being a vessel for other routed protocols.

Disadvantages

Although generic routing encapsulation is in general a private connection, security is a factor as no encryption is added Such as IP security (IPsec) or Encapsulating Security Payload (ESP); Also GRE is a standard method of encapsulating IP packets, many Internet service providers (ISPs) drop these packets, resulting in lost data.

Advantages

A distinct advantage PPTP holds is its simpler configuration and set up compared to a protocol such as L2TP. As data is encrypted by PPP and negates any need for IPsec, this in turn nullifies any need for a Public Key Infrastructure (PKI) or computer certificates for the VPN server or client.

Disadvantages

This protocols main disadvantage is low-level security by not using IPsec, resulting in data integrity and origin verification problems as there would be no means to verify that data has not been modified in transit, or if it was definitely sent by an authorized source.

PPTP could be useful for small businesses with less financial resources and don’t require as much emphasis on security, as it is actually cost effective compared to other protocols such as L2TP, with less specialized hardware required to build a company VPN.

Advantages

By using IPsec, L2TP encrypts the data with additional security, such as integrity and encrypted authentication of the data, further, by using UDP for encapsulation offers an increase in speed and can be configuration friendly for certain firewalls.

Disadvantages

The biggest drawback for L2TP is the volume of configuration required to set it up, and the complexity of the process, which involves a public key infrastructure and computer certificates, and with L2TP/IPsec encapsulating data twice could result in slower speeds.

L2TP is the method that could be chosen by companies where security is essential but older operating systems are still in use within their infrastructure that are not compatible with protocols such as SSTP

Advantages

SSTP over SSL/ TLS significantly aids VPN tunnel creation and by it allows traffic to navigate through web proxies and greatly improve firewall passing, which can be a problem for other protocols such as PPTP and L2TP/IPsec. By allowing the use of advanced security protocols such as SSL/TLS, the SSTP VPN connection provides full confidentiality, integrity, and authentication of data to a higher level than even IPsec.

Disadvantages

SSTP can only be used with client computers running Windows Vista Service Pack 1 (SP1), Windows Server 2008, and later versions of Windows, therefore, a different protocol must be applied for connection to older technology which is being used.

SSTP could be the solution to companies with global interests as this technology could allow communication between companies with either no VPN in place or in countries where VPN technology is blocked.

To date no form of electronic communication offers total security and the advanced eavesdropper can hold the ability to influence communication and should be held in high regard