Sunteți pe pagina 1din 9

VPN GRE

ITE PC v4.0
Chapter 1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Public 1
What is VPN?
• A VPN is a means of carrying private traffic over a
public network.
• Often used to connect two private networks, over a
public network, to form a virtual network
• The word virtual means that, to the users on either
end, the two private networks seem to be
seamlessly connected to each other.
• That is, they are part of a single virtual private
network (although physically they are two separate
networks).
 implication? connectivity, security, privacy
The VPN should provide the same connectivity and
privacy you would find on a typical local private
network.
2
Encrypted vs Nonencrypted VPNs
• In encrypted VPNs, encryption mechanisms
are used to secure the traffic across the
public network.
– Example: IPsec VPNs
• In nonencrypted VPNs, either data security is
not ensured at all, or is ensured by other
means (including encryption at higher layers).
– Examples:
MPLS VPNs (Multiprotocol Label Switching)
GRE-based VPNs
– Uses higher layer encryption for confidentiality

3
VPNs at different OSI layers
• The layer where VPN is constructed affects
its functionality.
– Example: In encrypted VPNs, the layer where
encryption occurs determines
(i) how much traffic gets encrypted
(ii) the level of transparency for the end users

• Data link layer VPNs (Layer-2)


– Example protocols: Frame Relay, ATM
– Drawbacks:
• Expensive - Requires dedicated Layer 2 pathways
• may not have complete security – mainly segregation of
the traffic, based on types of Layer 2 connection

– Q: Is L2TP a layer 2 VPN?

4
VPNs at different OSI layers
• Network layer VPNs (Layer-3)
– Created using layer 3 tunneling and/or encryption
Q: difference between encapsulation and tunneling ?
See http://computing-dictionary.thefreedictionary.com/tunneling%20protocol

– Example: IPsec, GRE, L2TP (tunneling layer 2 traffic by


using the IP layer to do that)

– Advantages:
• A ‘proper’ layer
– Low enough: transparency
– High enough: IP addressing
• Cisco focuses on this layer for its VPNs.

5
Generic Routing Encapsulation
(GRE)
• Provides low overhead tunneling (often between two private networks)

• Does not provide encryption


• Used to encapsulate an arbitrary layer protocol over another arbitrary
layer protocol:
delivery header + GRE header + payload packet
• Mostly IPv4 is the delivery mechanism for GRE with any arbitrary
protocol nested inside
e.g., IP protocol type 47: GRE packets using IPv4 headers
• RFCs:
• RFC1701 Generic Routing Encapsulation (GRE) S. Hanks, T. Li, D. Farinacci,
P. Traina, October 1994 (INFORMATIONAL)
• RFC2784 Generic Routing Encapsulation (GRE) D. Farinacci, T. Li, S. Hanks,
D. Meyer, P. Traina, March 2000 (PROPOSED STANDARD)
• RFC2890 Key and Sequence Number Extensions to GRE G. Dommety,
September 2000 (PROPOSED STANDARD)
6
Generic Routing Encapsulation
• GRE Header (based on RFC1701, deprecated): Figure 11-2
• GRE Header (based on RFC 2784 & 2890): Figure 11-4

• C = 1, checksum present
• Checksum: to ensure the integrity of the GRE header and the payload packet; contains
a checksum of the GRE header and the payload packet
• Key:
– contains a number to prevent misconfiguration of packets;
– may be used to identify individual traffic flow within a tunnel
– Not the same as a cryptographic key

7
Generic Routing Encapsulation
• Case Studies:
- GRE between multiple sites

S-ar putea să vă placă și