Weaknesses Of The Two Tunnelling Protocols Computer Science Essay

Published Date: 02 Nov 2017

Introduction

This report will outline the reasons why tunnelling is used and describe two of the most commonly used tunnelling protocols. This report aims to inform why they have been developed and why one might be preferred over the other.

In this report, I will be mainly focusing on

Explain network tunnelling

Briefly describe the reasons for tunnelling

Explain two tunnelling protocols

Compare the strengths and weaknesses of the two tunnelling protocols

Network Tunnelling

Tunnelling allows one network to send its data through another network's connections; for example the internet. Tunnels are used to create a safe and secure network connection between a private network and a remote host. This enables a remote user to gain access to resources on their private network.

inbe02

It does this by using tunnelling protocols; this is where a packet based on one protocol is encapsulated in a second packet based on whatever protocol is required to allow it to propagate through the intermediary network. In effect the, the second wrapper ‘insulates’ the original packet and gives the illusion of a tunnel. Tunnelling technology can be implemented using a Layer 2 or Layer 3 tunnelling protocol.

In real life term, tunnelling is compared to ‘encapsulating’ a present (original packet) in a box (second wrapper) for delivery through the postal service.

Reasons for Tunnelling

There are many reasons why an organization may choose to implement a network tunnel. A few examples are listed below.

Lower communications cost: as it eradicates the need for expensive leased lines because tunnels can operate on Public switched telephone network (PSTN) lines .It will significantly reduce the number of national and international calls.

Lower administration: network administrators need only manage and secure their remote access servers. They only have to manage only user accounts and don’t need to worry about supporting complex hardware configurations

Improves organization efficiency: many employees are field based or work from home. Having the ability to access the company’s server for resources is a great convenience and productivity improvement.

Improves Security: The use of authentication and encryption protocols helps to protect the data that is transmitted through the tunnel.

.

Tunnelling Protocols

Point To Point Tunnelling Protocol

The Point to Point Tunnelling Protocol (PPTP) is a protocol that is used to tunnel Point to Point Protocol (PPP) connections inside an IP network, creating a Virtual Private Network (VPN)

PPTP was developed by PPTP Forum, This was a group of companies that included Microsoft; Ascend, US Robotics and. 3Com.PPTP is one of the most commonly implemented tunnelling protocols. This is mainly due to the fact that it’s supported by windows clients and it’s fairly simple to configure and maintain. PPTP has the capacity to provide on demand, multi protocol for VPNs utilizing public networks for example, the Internet.

Cc751470.xns_k03(en-us,TechNet.10).gif

(King, 27/2/2013)

Authentication protocols

PPTP is an expansion of the Point-to-Point protocol (PPP) RFC 1661. PPTP works at the datalink layer of the OSI model. The authentication process used by PPTP is identical to PPP. PPP has four main authentication protocols which are:

Password Authentication Protocol (PAP) RFC1334 this allows for clear text authentication of a username and password. It is not a secure protocol due to the fact that if PAP packets are captured by a between server and remote clients, it would be possible to figure out remote user’s password. It also vulnerable to reply attacks.

Challenge Handshake Authentication Protocol (CHAP) RFC1994 is a more secure authentication protocol than PAP. It works by ensuring that both the server and user know the plain text of the secret, even though it’s never sent over the link. The process is carried out when the initial link is created and at regular intervals during the connection to verify the identity of the remote user. It’s also known as a three way handshake.

Microsoft Challenge Handshake Authentication Protocol (MS CHAP) RFC 2433. This is a Microsoft extension of CHAP. It follows the three way handshake method like CHAP.MS CHAP works by ensuring that the server stores a digital signature of the user instead of their password. This allows for greater level of security.

MS-CHAPv2. v2 RFC 2759 Microsoft developed an enhanced version of MS-CHAP. The encryption authentication process was revised, where each network device has to authenticate to each other. This method creates two unidirectional data pipes. Through these pipes a different encryption key is used for each connection between the devices.

(Kory Hamzeh,Gurdeep Singh Pall,William Verthein,Jeff Taarud,W. Andrew Little,Glen Zorn, 1999-07) (Gurdeep Singh Pall and Glen Zorn, 2001-03)

Encryption Protocols

There is no encryption with PPTP as it only establishes the tunnel. The encryption technology used by PPTP is Microsoft Point to Point Encryption (MPPE) protocol RFC 3078.MPPE uses the RSA RC4 algorithm and at the present time supports 40-bit, 56-bit and 128-bit session keys.

Diagram of a PPTP Containing an IP DatagramStructure of PPTP Packet Containing IP Datagram

The PPTP consist of 3 main parts:

Control Connection that runs over the TCP (port 1723)

The main data packets which are encapsulated using GRE and routed through the IP tunnel

The main IP tunnel used for routing the packets which are encapsulated by GRE

Layer 2 Tunnelling Protocol

Layer 2 Tunnelling Protocol (L2TP) RFC 2661 is a protocol used to tunnel data traffic between two points using the Internet.  L2TP was developed by Microsoft and Cisco to combine features of PPTP with that of Cisco’s Layer 2 Forwarding (L2F) protocol RFC2341.L2TP is capable of supporting non-TCP/IP clients and protocols for example Frame Relay and Asynchronous Transfer Mode (ATM). L2TP is similar to PPTP as it works at the datalink layer of the OSI model and encapsulates the data into PPP frames and transmits these across the connection. To maintain the tunnel and user data L2TP uses UDP for encapsulation. An added security feature of L2TP it can be put in the payload of an internet protocol security (IPSec) packet. This combination is sometimes known as L2TP over IPSec or L2TP/IPSec RFC 3193.

Authentication protocols

L2TP uses the same authentication protocols as PPTP, for example.

CHAP

MS-CHAP v2

L2TP can also use IPSec for authentication. This has two stages of authentication.

Device level authentication: By using pre shared keys or certificates for IPSec sessions

User authentication: A PPP authentication protocol is used for the L2TP tunnel.

IPSec is capable of providing end to end encryption for data that is transmitted between the sending and receiving devices.

Encryption Protocols

There is no encryption provided by L2TP it relies on a separate encryption protocol inside the tunnel to ensure data security. To encrypt the data in the tunnels L2TP can use MPPE or IPSec Encryption Strength: Advanced Encryption Standard (AES) 256, AES 192, AES 128, and 3 DES encryption algorithms

Diagram of L2TP Packet Containing an IP Datagram

Structure of L2TP Packet Containing an IP Datagram

Internet Protocol Security

Internet protocol security (IPSec) RFC 2401 IPSec is a set of IP extensions developed by Internet Engineering Task Force (IETF) that works at the network layer of the OSI model. This provides the current IPv.4 and IPv.6 standard with a compatible security service. IPSec is capable of securing any protocols that runs on top of IP, for example TCP and UDP. IPSec provides cryptographic security services which allows for authentication, access control, integrity and privacy. IPSec ensures the data exchanged between remote sites is verified and encrypted. IPSec can be used to create encrypted tunnels or just do encryption between computers.

IPSec functions in two types of modes, Transport or Tunnel mode. Transport mode is only used for end to end communication, where as Tunnel mode is most often used in gateway to gateway communication or in VPNs. IPSec has three main protocols that are used to secure either an entire IP payload or only the upper layer protocols of an IP payload.

Internet Key Exchange (IKE) Protocol: Internet Key Exchange (IKE) negotiates the IPSec security associations (SAs). This process requires that the IPSec systems first authenticate themselves to each other and establish ISAKMP (IKE) shared keys

Authentication Header (AH) Protocol: provides data origin authentication, data integrity, and replay protection

Encapsulating Security Payload (ESP) Protocol: provides all the same security features as AH. The added benefit of ESP is data confidentiality.

Diagram of L2TP/IPSec Packet Containing an IP Datagram

Strengths and Weaknesses of PPTP, L2TP and L2TP/IPSec

When considering which type of network tunnel to implement. The features of each protocol should be taken into consideration. The benefits and limitations of each tunnelling protocol discussed above are listed below.

Point to Point Tunnelling Protocol

Strengths

Easy to configure and maintain.

Does not need specialist hardware

Its reliable as it uses TCP to retransmit lost data packets

Weaknesses

PPTP can only function with IP networks

Less secure compared to other VPN protocols as it use MPPE which encrypts data up to 128b

The data encryption process begins after the PPP connection is finished.

The connection process only requires user authentication

Firewall compatibility issues as they don’t support GRE

Layer 2 Tunnelling Protocol

Strengths

It is fast because it uses UDP, is used more commonly used for real time communication, for example video conferencing or voice over IP(VoIP)

It supports multiple protocols including non TCP/IP

Less firewall issues compared to PPTP

Weakness

Requires more specialist knowledge for configuration and maintenance

It uses UDP making it less reliable, because it does not retransmit lost packets

Has an effect on network services making it not as quick as other VPN protocols

Layer 2 Tunnelling Protocol/IPSec

Strengths

The data encryption process starts before the PPP connection process

More secure than PPTP as it requires the use of digital certificates for computer authentication and user authentication using PPP authentication protocol

More secure as it uses the DES (up to three 56-bit keys) or AES(up to 256bit)

Provides data integrity and confidentiality

Weakness

Des algorithm is vulnerable brute force attacks