This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This report will outline the reasons why tunnelling is used and describe three of the most commonly used tunnelling protocols. This report aims to inform why they have been developed and why one might be preferred over the other.
In this report, I will be mainly focusing on:
Explain network tunnelling.
The reasons for tunnelling.
Explain briefly three tunnelling protocols.
Compare the strengths and weaknesses of the three tunnelling protocols.
The conclusion summarizes this report and provides a personal reflection on the methods expressed within it.
Tunnelling allows one network to send its data through another network's connections; for example the internet. Tunnels are used to create a safe and secure network connection between a private network and a remote host. This enables a remote user to gain access to resources on their private network.
Figure diagram of network tunnel
It does this by using tunnelling protocols; this is where a packet based on one protocol is encapsulated in a second packet based on whatever protocol is required to allow it to propagate through the intermediary network. In effect the, the second wrapper 'insulates' the original packet and gives the illusion of a tunnel. Tunnelling technology can be implemented using a Layer 2 or Layer 3 tunnelling protocol.
In real life term, tunnelling is compared to 'encapsulating' a present (original packet) in a box (second wrapper) for delivery through the postal service.
Reasons for Tunnelling
There are many reasons why an organization may choose to implement a network tunnel. A few examples are listed below.
Lower communications cost: as it eradicates the need for expensive leased lines
because tunnels can operate on Public switched telephone network (PSTN) lines .It will significantly reduce the number of national and international calls.
Lower administration: network administrators need only manage and secure their remote access servers. They only have to manage only user accounts and don't need to worry about supporting complex hardware configurations
Improves organization efficiency: many employees are field based or work from home. Having the ability to access the company's server for resources is a great convenience and an increase on employee productivity.
Improves Security: The use of authentication and encryption protocols helps to protect the data that is transmitted through the tunnel.
(King D. B., Computer networking illuminated, 2009)
Point To Point Tunnelling Protocol
The Point to Point Tunnelling Protocol (PPTP) is a protocol that is used to tunnel Point to Point Protocol (PPP) connections inside an IP network, creating a Virtual Private Network (VPN)
PPTP was developed by PPTP Forum, This was a group of companies that included Microsoft; Ascend, US Robotics and. 3Com.PPTP is one of the most commonly implemented tunnelling protocols. This is mainly due to the fact that it's supported by windows clients and it's fairly simple to configure and maintain. PPTP has the capacity to provide on demand, multi protocol for VPNs utilizing public networks for example, the Internet.
(King D. B., 27/2/2013)
PPTP is an expansion of the Point-to-Point protocol (PPP) RFC 1661. PPTP works at the datalink layer of the OSI model. The authentication process used by PPTP is identical to PPP. PPP has four main authentication protocols which are:
Password Authentication Protocol (PAP) RFC1334 this allows for clear text authentication of a username and password. It is not a secure protocol due to the fact that if PAP packets are captured by a between server and remote clients, it would be possible to figure out remote user's password. It also vulnerable to reply attacks.
Challenge Handshake Authentication Protocol (CHAP) RFC1994 is a more secure authentication protocol than PAP. It works by ensuring that both the server and user know the plain text of the secret, even though it's never sent over the link. The process is carried out when the initial link is created and at regular intervals during the connection to verify the identity of the remote user. It's also known as a three way handshake.
Microsoft Challenge Handshake Authentication Protocol (MS CHAP) RFC2433. This is a Microsoft extension of CHAP. It follows the three way handshake method like CHAP.MS CHAP works by ensuring that the server stores a digital signature of the user instead of their password. This allows for greater level of security.
MS-CHAPv2. V2 RFC 2759 Microsoft developed an enhanced version of MS-CHAP. The encryption authentication process was revised, where each network device has to authenticate to each other. This method creates two unidirectional data pipes. Through these pipes a different encryption key is used for each connection between the devices.
(Kory Hamzeh,Gurdeep Singh Pall,William Verthein,Jeff Taarud,W. Andrew Little,Glen Zorn, 1999-07; B.Lloyd)
There is no encryption with PPTP as it only establishes the tunnel. The encryption technology used by PPTP is Microsoft Point to Point Encryption (MPPE) protocol RFC 3078.MPPE uses the RSA RC4 algorithm and at the present time supports 40-bit, 56-bit and 128-bit session keys.
Structure of PPTP Packet Containing IP Datagram
Figure Diagram of a PPTP Containing an IP Datagram
The PPTP consist of 3 main parts:
Control Connection that runs over the TCP (port 1723)
The main data packets which are encapsulated using GRE and routed through the IP tunnel
The main IP tunnel used for routing the packets which are encapsulated by GRE
(Gurdeep Singh Pall and Glen Zorn, 2001-03)
Layer 2 Tunnelling Protocol
Layer 2 Tunnelling Protocol (L2TP) RFC 2661 is a protocol used to tunnel data traffic between two points using the Internet. L2TP was developed by Microsoft and Cisco to combine features of PPTP with that of Cisco's Layer 2 Forwarding (L2F) protocol RFC2341.L2TP is capable of supporting non-TCP/IP clients for example Frame Relay and Asynchronous Transfer Mode (ATM). L2TP is similar to PPTP as it works at the datalink layer of the OSI model and encapsulates the data into PPP frames and transmits these across the connection. To maintain the tunnel and user data L2TP uses UDP for encapsulation.
An added security feature of L2TP it can be put in the payload of an internet protocol security (IPSec) packet. This combination is sometimes known as L2TP over IPSec or L2TP/IPSec RFC 3193.
L2TP uses the same authentication protocols as PPTP, for example.
L2TP can also use IPSec for authentication. This has two stages of authentication.
Device level authentication: By using pre shared keys or certificates for IPSec sessions
User authentication: A PPP authentication protocol is used for the L2TP tunnel.
IPSec is capable of providing end to end encryption for data that is transmitted between the sending and receiving devices.
There is no encryption provided by L2TP it relies on a separate encryption protocol inside the tunnel to ensure data security. To encrypt the data in the tunnels L2TP can use MPPE or IPSec Encryption DES (up to three 56-bit keys) or AES (up to 256bit) algorithms.
Structure of L2TP Packet Containing an IP Datagram
Figure Diagram of L2TP Packet Containing an IP Datagram
(W. Townsley) (Jawin, 2005)
Internet Protocol Security
Internet protocol security (IPSec) RFC 2401 IPSec is a set of IP extensions developed by Internet Engineering Task Force (IETF) that functions at the network layer of the OSI model. This provides the current IPv.4 and IPv.6 standard with a compatible security service. IPSec is capable of securing any protocols that runs on top of IP, for example TCP and UDP. IPSec provides cryptographic security services which allows for authentication, access control, integrity and privacy. IPSec ensures the data exchanged between remote sites is verified and encrypted. IPSec can be used to create encrypted tunnels or just do encryption between computers.
IPSec functions in two types of modes, Transport or Tunnel mode. Transport mode is only used for end to end communication, where as Tunnel mode is most often used in gateway to gateway communication or in VPNs. IPSec has three main protocols that are used to secure the complete IP payload or just IP payload of the upper layer protocols.
Internet Key Exchange (IKE) Protocol: IKE handles the IPSec security associations (SAs). This process requires that each device must authenticate themselves to one another and establish ISAKMP (IKE) shared keys
Authentication Header (AH) Protocol: This provides a means to check authentication of data origin and also data integrity. It also provides protection against replay attacks
Encapsulating Security Payload (ESP) Protocol: provides all the same security features as AH. The added benefit of ESP is data confidentiality.
Figure Diagram of L2TP/IPSec Packet Containing an IP Datagram
(King D. B., Computer Networking illuminated, 2009)
Strengths and Weaknesses of PPTP, L2TP and L2TP/IPSec
When considering which type of network tunnel to implement. The features of each VPN protocol should be taken into consideration. The strengths and weaknesses of each tunnelling protocol discussed above are listed below.
Point to Point Tunnelling Protocol
Easy to configure and maintain.
Does not need specialist hardware
Its reliable as it uses TCP to retransmit lost data packets
PPTP can only function with IP networks
Less secure compared to other VPN protocols as it use MPPE which encrypts data up to 128b
The data encryption process begins after the PPP connection is finished.
The connection process only requires user authentication
Firewall compatibility issues as they don't support GRE
Layer 2 Tunnelling Protocol
It uses UDP, is used more commonly used for real time communication, for example video conferencing or voice over IP(VoIP)
It supports multiple protocols including non TCP/IP
Less firewall issues compared to PPTP
Requires more specialist knowledge for configuration and maintenance
It uses UDP making it less reliable, because it does not retransmit lost packets
Has an effect on network services making it not as quick as other VPN protocols
Layer 2 Tunnelling Protocol/IPSec
The data encryption process starts before the PPP connection process
More secure than PPTP as it requires the use of digital certificates for computer authentication and user authentication using PPP authentication protocol
More secure as it uses the DES (up to three 56-bit keys) or AES(up to 256bit)
Provides data integrity and confidentiality
More complex configuration and administration.
Des algorithm is vulnerable brute force attacks.
Network address translation(NAT) does not work with IPSec
When an organization decides to implement a VPN there are various protocols which can be considered. This report provides information regarding three of these tunnelling protocols together with their strengths and weaknesses.
There are benefits and drawbacks to implementing PPTP, L2TP and L2TP/IPSec and is hard to distinguish which is the better option to use as a tunnelling protocol. This is because in most cases circumstances will dictate which tunnelling protocol is the most appropriate to use, for example a tunnel used for real time communications compared opposed to a tunnel used to send sensitive data.
PPTP is oldest and most light weight, it also has the advantage that it is reliable and usually very easy to configure and maintain. The main disadvantage is it's the least secure of the tunnelling protocols and has compatibility issues with firewalls.
L2TP is capable of supporting non-TCP/IP clients. It uses UDP making it fast but on the downside it's not reliable (compared to PPTP) due to lost packets not being retransmitted. When compared to PPTP L2TP does not have the same firewall compatibility issues.
L2TP/IPSec is the most secure of the three tunnelling protocols discussed. This is because it has a stronger authentication mechanism and uses a better encryption process. L2TP/IPSec is more complex to configure and may have an impact on network services. The main disadvantage to L2TP/IPSec will not traverse through a device running NAT and is vulnerable brute force attacks.