Looks At Various Tunnelling Protocols Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This report looks at various tunnelling protocols that can be deployed in todays networking infrastructures. The report delivers information and standards defining tunnelling protocols PPTP and L2TP as well numerous encapsulation and encryption protocols applied to these protocols such as MS-CHAPv2, EAP-TLS and IPSec.

The report investigates protocol structures and how they link with other protocols to provide a secure VPN (virtual private network).

A comparison has be made between the PPTP and L2TP tunnelling protocols documenting particular circumstances in which one protocol may be favoured to another along with their known strengths and weaknesses listed.

Thought the investigation Illustrations are applied to depict a particular encapsulation technique or presence in a protocol stack such as the OSI 7 layer model.

A conclusion is drawn up at the end summarising the protocols examined throughout the report.


Tunnelling aids many organisations to create a private and secure link over a network in which to exchange data, typically an un-trusted network for example a PSTN (Public Switched Telephone Network). These methods ensure data integrity for the organisation preventing theft, change and eavesdroppers from compromising confidential data.

Essentially businesses require VPNs to allow a client-server relationship. This allows a client to access resources from at a remote location. This provides a dynamic and time efficient way in which to perform work related tasks. Dynamically an employee can logistically carryout their duties without the need to travel to the workplace.

Tunnelling provides businesses with a cost effective way in which to communicate over PSTN rather than the increased costs of leasing a private leased line.

VPNs provide a secure medium in which to connect, authenticate, compress and encrypt data using the protocols detailed in the report. This provides a business with a safe and secure way in communicate.

A very basic description of tunnelling is simply "it is a communications protocol to encapsulate at a peer level or lower".

Read more: Difference Between PPTP and L2TP | Difference Between | PPTP vs L2TP http://www.differencebetween.net/technology/difference-between-pptp-and-l2tp/#ixzz2MbxBwXVJ

Three critical areas of protection tunnelling protocols cover:

Confidentiality, this ensures data sent is encrypted and therefore if intercepted from an unknown source the data is unreadable. Only the sender and receiver can decrypt this data.

Integrity, checks that data received has not been compromised. This is monitored through a public key certificate (digital certificate) which uses a digital signature to asses data packets received.

Authenticity. Authentication determines that the connected client/server credentials are indeed trusted and authorised to share data.

PPTP (Point-to-Point Tunnelling Protocol)

PPTP was first created by Microsoft, US Robotics 3Com and Ascend. Microsoft first implemented the protocol for dial-up networking with windows 95 OSR2. PPTP is only a tunnelling protocol and does not authenticate or encrypt data.

PPTP works at layer 2 (data link layer) on TCP (Transmission Control Protocol) port 1723 and creates a direct connection for client/server over a network. It is defined in the RFC 2637 (Request for Comments). Authentication and encryption are handled by protocols such as CHAP, MS-CHAPv1/v2 (Microsoft Challenge-Handshake Authentication Protocol) or EAP-TLS (Extensible Authentication Protocol - Transport Layer Security). PPTP is a combination of the GRE (Generic Routing Encapsulation) and TCP (Transmission Control Protocol) protocols. GRE encapsulates PPP packets while the PPP payloads are encrypted using Microsoft's MPPE (Microsoft point-to-point encryption). PPTP is a data link protocol at layer 2 in the OSI 7 layer model that exchanges data frames between hosts. For the Internet model this protocol is situated at the bottom of the stack on the network (physical) layer. With the IEEE (institute of electrical and electronic equipment)the protocol is located on the logical link layer. PPTP separates Control and Data streams. Data streams are handled by GRE while Control streams are handled by TCP. The GRE protocol encapsulates PPP packets being sent through the GRE tunnel with TCP controlling the transmission.

ENCAPSULATION illustration

From the illustration the PPP payload is encapsulated with a PPP header which is then encapsulated in the GRE header and then the IP header.



CHAP (Challenge Hand Shake Protocol)

CHAP is used to authenticate a client from a remote access server. Since windows 2000 CHAP is available on both remote access servers and remote client. CHAP is defined in the RFC 1994 documentation with the MD5 (Message Digest 5) standard. The protocol is implemented during the first stage of authentication by identifying the LCP protocol. After authentication has completed CHAP can send data using the PPP protocol. CHAP authentication has three stages in which to perform.

Server sends a CHAP message to the client containing a session ID in a arbitrary challenge string.

Client sends back the server a CHAP response containing the username, hash of the challenge string, session ID and password using MD5.

Server then evaluates the hash response against the response in the CHAP message. If the responses are correct a successful message is sent to the client confirming authentication.

MS CHAPv1 (Microsoft Challenge Hand-Shake Protocol)

MS CHAPv1 is the updated version of CHAP. Few differences lye between the protocols. With the new updated version MS CHAPv1 has been modified to allow a server to only require the MD4 hash of a clients password in which to authenticate. Described in the RFC 2433 and RFC 2548 (Radius encapsulation) and later defined in the RFC 2759 (MS CHAPv2) the MS CHAP range of protocols are used to authenticate over VPNs, Radius WIFI security servers with WPA (WIFI Protected Access). http://www.cisco.com/en/US/i/200001-300000/210001-220000/214001-215000/214089.jpg


MS-CHAPv2 authenticates the client/server connected. This updated version provides a higher level of security than its predecessors. Security measures on both client and server authenticating with one another ensures that a rouge server cannot influence a remote connection to a host. Authentication is administered through cryogenic keys. These keys are based on user names and passwords with key changes made as data is sent and received. Only the host a server know these keys. MS-CHAPv2 is from the RFC 2759 standard. MS-CHAPv2 is authenticated during the LCP process using PPP packets. LCP over PPP with the control code 0xC021.

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

EAP-TLS is a newer defined protocol than MS-CHAPv2. EAP is used in WPA, WPA2, IEEE 802.1. These standards fall under the IEEE 802.1x standard. TLS encrypts areas of the network at the Application layer ready for the Transport Layer. Again this security protocol prevents data from being compromised. TLS itself has 3 versions TLS 1.0, TLS 1.1 and TLS 1.2. The latest TLS 1.2 standard defined by RFC 5246 in 2008 and then updated in 2011 with the RFC 6176 standard was brought into practice to combat SSL 2.0 weaknesses such as MD5 message authentication (not as widely used now). Also hand-shake message integrity. RFC 6176 defines that servers and hosts do not engage with the SSL protocol.

PPTP Data Encryption

MPPE Microsoft Encryption.

MPPE is a protocol used to encrypt data. Along with Microsoft Point-to-Point Compression (MPPC) data is encrypted and compressed then sent through the tunnelled network. This security protocol uses RSA RC4 algorithms to protect data integrity with 40bit, 56bit and 128bit session keys. MPPC works at the data link layer and is illustrated by RFC 2118. MPPC has a compression rate of 8:1 (460 Kbit/s).

PPTP Overall Performance


Easy to set up and maintain.

Can utilise EAP which retransmits to find lost data if an error occurs.

Client compatibility with:

Windows .

Mac OSX.

Apple IOS.



DD-WRT (Linux based firmware for wireless routers/access points).


Encrypts data at 128bit which is weaker than other available protocols.

Data encryption starts after point-to-point authentication.

Only requires user authentication.

MS-CHAP weak with bit-flipping attacks and dictionary attacks.

Fire-wall issues (data streams run over GRE, not often supported).

L2TP/IPSec (Layer 2 Tunnelling Protocol/Internet Protocol Security)

L2TP first published in 1999 as an updated version of PPTP. L2TP is a combination of Microsoft's PPTP and Cisco's L2F (Layer 2 Forwarding) protocols. Again like PPTP L2TP is only a tunnelling protocol.

L2TP works at OSI layer 2 (data link layer) and the Network layer with the Internet Model. Encryption and authentication is carried out using IPSec. L2TP also uses UDP port 1701 with UDP working at layer 4 (transport). This protocol is defined through the RFC 2661 standard. L2TP/IPSec has two main processes to accomplish, first IPSec secures a channel then LT2P configures the tunnel. As with PPTP L2TP uses PPP frames for the payload. The PPP payload is encapsulated in a PPP header are then an L2TP header a UDP header and finally an IP header and trailer.

L2TP Encapsulation Illustration.

From the Illustration we can see that the PPP payload is held within the PPP header, L2TP, UDP and IP header encapsulating the datagram.



IPSEC (Internet Protocol/Security)

Firstly developed in 1993 by Columbia University and AT&T Bell as a security protocol to authenticate devices and encrypt data for transportation.

IPSec encrypts and authenticates all IP packets sent over the network. L2TP/IPSec is detailed in the RFC 3193 and IETF documentation. This protocol suite works with IP working at layer 3 (network) and TCP at layer 4 (transport). Layer 3 deals with routing the traffic with layer 4 ensuring data sent/received is error free. IPSec uses the Internet Key Exchange (IEK) to configure devices authenticity. Authentication headers are also used to secure integrity and authentication, along with ESP (Encapsulating Security Payload) that encrypts and authenticates the data. By using IPSec headers it prevents a man-in-the-middle (eves dropper) from reading this data as it is sent across a network.

L2TP/IPSec Encryption Illustration

L2TP/IPSec Overall Performance


More secure than PPTP with 186bit encryption.

Requires 2 levels of authentication, data integrity and data-origin authentication.

Provides a digital certificate prior to sending any data.

Encrypts the authentication process.

Utilising the UDP to encapsulate can ease configuration with some firewalls.


If a change happens in the digital certificate key connection is lost.

Complexities with configuring hosts that are behind NAT (Network Authentication Translation) protocol.

Windows 2008 and Vista may require registry changes in order to use L2TP.

Comparison Between PPTP and L2TP/IPSec

L2TP's new design over PPTP allows a connection over non IP based networks. L2TP has a higher level of security using multiple layers of the OSI model to secure packets over a network. In comparison to this PPTP which can only be applied to IP with TCP providing the tunnels transmission control. Although PPTP may not be as secure as L2TP it does provide a reasonable level of security with a user friendly set-up rather than L2TP which can have its complexities with configuration. If security levels are an issue then L2TP would be the preferred choice as it requires digital certificates (higher level of security). L2TP also provides greater functionality and speed to transport data quicker using UDP. PPTP falls short again of L2TP with issues regarding fire-walls.


SSTP (Secure Socket Tunnelling Protocol)

SSTP is a tunnelling protocol that encapsulates PPP or l2TP messages through the SSL (Secure Socket Layer) 3.0 channel using TCP port 443, HTTP1.1 over SSL 3.0 exchanges IPv4/IPv6 packets. With the use of SSTP firewall issues affecting previous VPN NAT problems have been significantly improved along with proxy server problems. SSTP is a Microsoft product available from Windows Vista, Windows 2000 and onwards.


Resolves Firewall, NAT and proxy server issues that may occur with PPTP and L2TP.

Integrated into Windows Vista SP1/ Server 2000 onwards.

Prevents a man-in-the middle attack.

Easy to set up and maintain on client.


Cannot be deployed for Site-to-Site VPN.

Server set up requires more complex set with ADDS, RRAS along up with required server certificate for the SSTP server.

Microsoft created, only available for Windows OS.


The report concludes from the researched material and sources gathered that network tunneling provides a robust solution for sharing confidential data over a public network safely. By linking tunnelling protocols, authentication protocols and encryption protocols businesses can insure data integrity to and from a source (server/client).

Tunnelling protocols PPTP and L2TP

Essentially tunnelling provides business with a means to carrying out duties that are not