Tunneling protocols are agreements between tunneling routers that assure transparent transport of information. The agreements cover the correct interpretation of the information and the security of the information. The protocols are divided between rules that are performed by the routers and information passed between the routers. The portion of the protocols passed between the routers is what we typically consider “the tunneling protocol.” Both pieces of the agreements must exist to assure transparency of the tunneled information.
We try to map tunneling protocol functions to the OSI Reference Model, but the model is lacking in this area. Tunneling protocols transport lower layer (Layer 2 or Layer 3) protocols in an upper layer (Layer 3 or Layer 4) protocol. The OSI Reference Model is uncomfortable with this process. If assignment is necessary, tunneling protocols most comfortably sit at the Session Layer.
The concept of tunneling protocols is not new for data communications. The visual breaks down tunneling protocol operation. The protocols at the top are the tunneled protocols that get the work done. The tunneling protocols in the middle allow transparent transport of the tunneled information across the final set of protocols, the transport protocols. Here, the transport network is TCP/IP. This same model has been used for many years and is standardized as Data Link Switching (DLSw) and Remote Source Route Bridging (RSRB). In both of these environments, bridged LAN traffic is tunneled through a TCP/IP routed network.
The tunneling protocols in a VPN are functionally similar to those in a DLSw or RSRB environment. The tunneling protocol contains information about the content of the tunneled protocols and the router that generated the packet. At the receiving end the remote tunneling router uses this information to regenerate the information packet.
Functions of Tunneling Protocols
In other tunneling environments (e.g., data link switching and remote source route bridging), tunneling is necessary because the transported protocols must cross the network and they cannot be routed. In the current corporate environment, tunneling protocols resolve other concerns as well.
- Network services: Corporations are multinetwork operating system environments. No single vendor can provide a solution for all possible scenarios; consequently, multivendor multiprotocol traffic is a fact of life for most corporations. Another fact is the growing use of a single protocol’s backbone (TCP/IP). By providing protocols identification capability, the tunneling protocols allow multiple LAN protocols to be transported on a single backbone network.
- Interoperability: Sharing critical information requires interoperability and connectivity. A common backbone protocol suite and a tunneling system that can handle multiple protocols achieve both.
- Performance: Shared information is only useful when the information is presented without much delay. The performance is the responsibility of the network. Tunneling protocols provide a means to monitor the performance (i.e., round-trip delay) and notify the users of problems.
- Reliability: Shared information is also useful only when the information is error-free. The reliability of communications is also the responsibility of the network. The tunneling protocols provide a means to monitor the error performance of the network.
- Security: A hot topic in corporate communications is security. Tunneling protocols provide a means to invoke encryption, authentication, and accounting schemes—the building blocks of most security systems.
Common Attributes of Tunneling Protocols
Transporting information across a routed network is the overall attribute of tunneling protocols. Tunneling protocols also manage and monitor the tunnel and differentiate between various information types. Tunneling protocol attributes are defined below.
- Session management: Provides a capability of tunneling routers to create, maintain, and monitor the operation of a protocol tunnel through an internetwork. Session management also allows a network administrator to troubleshoot sessions and verify that the tunnel is operating.
- Multiprotocol support: Allows the transport network to carry non-native protocols from various vendors independently. An evaluation criteria of a tunneling protocol is its ability to tunnel a wide variety of protocols.
- Authorization: Allows a network administrator to specify the tunnel endpoints (i.e., routers) and verify that the endpoints are those specified.
- Encryption: Ensures the security of information sent over the tunnel.
Tunneling Protocols and Security
Network security has become a high stakes game of threat and deterrence. In the early days of the Internet, the major threat was from hackers looking for something “good.” With the increase of electronic commerce and VPN traffic, the threats have changed to fraud, embezzlement, and corporate espionage. Tunneling protocols offer deterrence to these new threats.
The slide lists four threats and the associated deterrence tunneling protocols offer. Not all tunneling protocols support all the security features shown on the visual.
- IP address spoofing allows an intruder to impersonate a valid user. Tunneling protocols hide the user’s IP address within the tunnel. The only visible address is that of the tunneling router.
- Tunneling protocols deter hacking by creating a shielded access point into the network. Only authorized routers can create a tunnel and only authorized users can access the tunnel.
- Tunneling protocols offer encryption using various key lengths. As an added benefit, tunneling protocols are often not decoded during normal protocol analysis, which adds an “out-of-sight, out-of-mind” type deterrence.
- Inserting data such as viruses into a tunnel can cause havoc. Some tunneling protocols deter this threat by using an accounting mechanism (octets in vs. octets out), and packet identification and verification using DSS.
Examples of Tunneling Protocols
- Generic Routing Encapsulation (GRE): The IETF refers to this tunneling technique as encapsulation. A number of RFCs have been published that deal with encapsulating an alien protocol over an IP-based Internet. RFC 1701 defines GRE, but it does not define the payload (alien protocol) or the native protocol. It only defines the capabilities of a tunneling system. RFC 1702 defines the mechanism for generic tunneling over an IP network for Mobile IP, RFC 2003 defines IP tunneling over IP, and RFC 1234 defines tunneling IPX over IP.
- Layer 2 Forwarding (L2F): Created by Cisco, L2F tunnels either Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP) over an IP internetwork. When tunneling PPP the [[Password Authentication Protocol]] (PAP) or Challenge Handshake Authentication Protocol (CHAP) performs authentication.
- Point-to-Point Tunneling Protocol (PPTP): A tunneling protocol proposed by Microsoft and supported by a group of hardware vendors, it encapsulates PPP inside GRE version 2 protocol. PPTP follows the PPP connection establishment procedures and can employ the PAP or CHAP for authentication.
- Layer 2 Tunneling Protocol (L2TP): A blend of L2F and PPTP tunneling protocols, L2TP is a compromise between Cisco (L2F) and Microsoft (PPTP) to standardize the tunneling marketplace.
- Secure IP (IPSec): A security protocol noted and described in IETFs RFCs 2401–2412, it is rapidly becoming the industry’s VPN protocol of choice.