Академический Документы
Профессиональный Документы
Культура Документы
Volume 2, Issue 11, November - 2015. ISSN 2348 4853, Impact Factor 1.317
I.
INTRODUCTION
GRE tunnels are stateless. Each tunnel endpoint keeps no information about the state or availability of
the remote tunnel endpoint. This feature helps Internet Service Providers (ISPs) provide IP tunnels to
customers who are not concerned about the internal tunneling architecture at the ISP end. Customers
then have the flexibility to configure or reconfigure their Internet Protocol (IP ) architecture but still
maintain connectivity. It creates a virtual point-to-point link to routers at remote points over an IP internetwork. Generic Routing encapsulation (GRE) over Internet Protocol Security- Virtual Private Network
(IPSEC-VPN) and IP-based physical security are best practice to overcome the mentioned problems. GRE
1 | 2015, IJAFRC All Rights Reserved
www.ijafrc.org
GRE is a tunneling protocol defined in [1] and [2]. It was originally developed by Cisco Systems for
creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork, [3].
GRE supports multiprotocol tunneling. It can encapsulate multiple protocol packet types inside an IP
tunnel. Adding an additional GRE header between the payload and the tunneling IP header provides the
multiprotocol functionality. IP tunneling using GRE enables network expansion by connecting
multiprotocol sub-networks across a single-protocol backbone environment. GRE also supports IP
multicast tunneling. Routing protocols that are used across the tunnel enable dynamic exchange of
routing information in the virtual network [3].
II.
The main function of GRE is to provide powerful yet simple tunneling. GRE supports any Open System
Interconnection (OSI) Layer 3 protocol as payload, for which it provides virtual point-to-point
connectivity. GRE also allows the use of routing protocols across the tunnel,[4].
The main limitation of GRE is that it lacks any security functionality as it only provides basic plaintext
authentication using the tunnel key, which is not secure, and tunnel source and destination addresses.
However a secure VPN requires characteristics such as;
Data integrity assurance that is not vulnerable to man-in-the-middle attacks and spoofing.
Confidentiality through encryption using symmetric algorithms (for example, 3DES or AES)
Data source authentication using keyed-hash message authentication code (HMAC)(for example,
message-digest algorithm(MD5) or Secure Hash Algorithm(SHA-1)
IPSec, however, was primarily intended to provide the above services to IP traffic only. Development of
Cisco IOS software is focused on removing the limitations, but multiprotocol support will always require
an additional tunneling protocol. Using crypto maps does not provide a virtual interface that you can
configure an address on, and a routing protocol can be run to dynamically exchange routing
information,[4] .
2 | 2015, IJAFRC All Rights Reserved
www.ijafrc.org
Internet Protocol Security (IPSec) is an Internet Engineering Task force (IETF) standard[5],[6], explained
how a VPN can be configured using the IP addressing protocol. IPSec is not bound to any specific
encryption, authentication, security algorithms, or keying technology. IPSec is a framework of open
standards that spells out the rules for secure communications. IPSec relies on existing algorithms to
implement the encryption, authentication, and key exchange.
IPSec works at the Network Layer, protecting and authenticating IP packets between participating IPSec
devices (peers). As a result, IPSec can protect virtually all application traffic because the protection can
be implemented from Layer 4 through Layer 7. All implementations of IPSec have a plaintext Layer 3
header, so there are no issues with routing. IPSec functions over all Layer 2 protocols, such as Ethernet,
ATM, Frame Relay, Synchronous Data Link Control (SDLC), and High-Level Data Link Control (HDLC).
The IPSec framework consists of five building blocks.
The first represents the IPSec protocol. Choices include ESP or AH.
The second represents the type of confidentiality implemented using an encryption algorithm
such as Data Encryption Standard (DES), Tripple Data Encryption Standard (3DES), Advance
Encryption Standard (AES), or Software-Optimized Encryption Algorithm (SEAL). The choice
depends on the level of security required.
The third represents integrity that can be implemented using either MD5 or SHA [7].
The fourth represents how the shared secret key is established. The two methods are pre-shared or
digitally signed using Rivest-Shamir-Adleman(RSA).
The last represents the Diffie-Hellman (DH) algorithm group. There are four separate DH key
exchange algorithms to choose from including DH Group 1 (DH1), DH Group 2 (DH2), DH Group 5
(DH5), and DH Group 7 (DH7). The type of group selected depends on the specific needs.
IPSec provides the framework, and the administrator chooses the algorithms that are used to implement
the security services within that framework. By not binding IPSec to specific algorithms, it allows newer
and better algorithms to be implemented without patching the existing IPSec standards [8].
IV. RIVEST-SHAMIR-ADLEMAN (RSA)
Signatures - The exchange of digital certificates authenticates the peers. The local device derives a hash
and encrypts it with its private key. The encrypted hash is attached to the message and is forwarded to
the remote end and acts like a signature. At the remote end, the encrypted hash is decrypted using the
public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine.
www.ijafrc.org
IPSec is a framework of open standards. IPSec spells out the messaging to secure the communications but
relies on existing algorithms. The two main IPSec framework protocols are AH and ESP. The IPSec
protocol is the first building block of the framework. The choice of AH or ESP establishes which other
building blocks are available:
Authentication Header (AH) - AH, which is IP protocol 51, is the appropriate protocol to use when
confidentiality is not required or permitted. It ensures that the origin of the data is either R1 or R2 and
verifies that the data has not been modified during transit. AH does not provide data confidentiality
(encryption) of packets. All text is transported unencrypted. If the AH protocol is used alone, it provides
weak protection [11].
4 | 2015, IJAFRC All Rights Reserved
www.ijafrc.org
Encapsulating Security Payload (ESP) - ESP, which is IP protocol 50, can provide confidentiality and
authentication. It provides confidentiality by performing encryption on the IP packet. IP packet
encryption conceals the data payload and the identities of the ultimate source and destination. ESP
provides authentication for the inner IP packet and ESP header. Authentication provides data origin
authentication and data integrity. Although both encryption and authentication are optional in ESP, at a
minimum, one of them must be selected [11]. Figure 1 illustrates the recommended security protocol
process. Figure 4 shows how IPSec protocol header is encapsulated in an IP header for communication
between two peers. The encryption header (IP HDR) and authentication protocol all encapsulates the
packet (data) before been transmitted over the internet to the remote router. This ensures a high level of
security payload for a packet to be transmitted over the internet.
IKE is defined in It is a hybrid protocol, combining the Internet Security Association (SA) and Key
Management Protocol (ISAKMP) and the Oakley and Secure Key exchange Mechanism (SKEME) key
exchange methods. ISAKMP defines the message format, the mechanics of a key-exchange protocol, and
the negotiation process to build an SA for IPSEC. ISAKMP does not define how keys are managed or
shared between the two IPsec peers. Oakley and SKEME have five defined key groups. Of these groups,
Cisco routers support Group 1 (768-bit key), Group 2 (1024-bit key), and Group 5 (1536-bit key) [12].
To implement a VPN solution with encryption, it is necessary to periodically change the encryption keys.
Failure to change these keys makes the network susceptible to brute-force attacks. IPsec solves the
problem of susceptibility with the Internet Key Exchange (IKE) protocol, which uses two other protocols
to authenticate a peer and generate keys. The IKE protocol uses the DH key exchange to generate
symmetrical keys to be used by two IPsec peers. IKE also manages the negotiation of other security
www.ijafrc.org
Negotiation of SA characteristics
SKEME: A key exchange protocol that defines how to derive authenticated keying material with
rapid key refreshment.
OAKLEY: A key exchange protocol that defines how to acquire authenticated keying material. The
basic mechanism for OAKLEY is the DH key exchange algorithm[17]. IKE automatically negotiates
IPSec SAs and enables IPSec secure communications without costly manual pre-configuration. An
alternative to using IKE is to manually configure all parameters required to establish a secure
IPSec connection. This process is impractical because it does not scale, [16].
Eliminates the need to manually specify all of the IPSEC security parameters at both peers.
Allows specification for a lifetime for the IPSEC Security Association (SA)
Permits certification authority (CA) support for a manageable, scalable IPSEC implementation
www.ijafrc.org
IX. METHODOLOGY
The method adopted in this paper is the structural design and the simulation of GRE tunnel network.
Graphical Network Simulator (GNS3) software was used to simulate the network with Cisco routers
running original Internetwork Operating System (IOS). GNS3 is software used to simulate complex
advances network. Network device configuration and penetration testing can be established when using
GNS3. Routers used in the simulation are Cisco routers. Comparative analysis and penetration testing
was done to check the security level of a GRE tunnels. Network Protocol Analyzer (wireshark) was used
to capture traffic traversing over the Service Providers network for further analysis and interpretation.
The following is the description of methods used to simulate the tunnel.
X.
In the simulated virtual lab, a site-to-site GRE tunnel VPN was configured. Once configured, the VPN
traffic between Router 1 on interfaces Router 1 and Router 2will be captured using wireshark for further
processing and analysis. Each of the simulated networks connects to an Internet Service Provider
(ISP).The Internet Service Provider only provides internet subscription to the client (institution).The
simulated network will provide institutional connectivity to remote sites over the internet. A study into
Service Providers network architectural design outline certain configuration parameters which allows
internet subscription from client and other IP services hosted by the Service Provider. In the process
architectural designs of Service Providers to were simulated to allow connectivity to client. Figure 7
illustrates the topological simulated design used to simulate the network architecture. The ISP has two
routers (ISP1 and ISP 2).ISP 1 connects router 1 and ISP 2 connects router 2. Router 1 and 2 are
considered as the edge routers and a client to the ISP. The ISP has a serial connection from ISP 1 to
ISP2.ISP 1 connects its edge router through a fast ethernet 0/0 interface and ISP2 connects its edge
router through a fast ethernet 0/0 interface. The ISP provides only internet access to router 1 and 2(edge
devices). A virtual cloud adaptor from figure 2 was used to virtualized the physical interface of a laptop
www.ijafrc.org
A loopback and a tunnel interface was configured on router 1 and router 2 fast ethernet and the serial
interfaces. Fast ethernet 0/0 on router 1 was configured with the IP address 200.1.1.1 and a subnet
mask 255.255.255.0.The IP address configured on fast ethernet 0/0 is the out bound interface connected
to the service provider (ISP1) for internet access. Loopback interface 0 was configured with the IP
address 1.1.1.1 and a subnet mask 255.255.255.0.The loopback interface represent all internal hosts
connected to router 1.
Router 2 was also configured with the same parameters. The loopback interface was assigned the IP
2.2.2.2 and a subnet mask 255.255.255.0.Fastethernet 0/0 connects to Internet Service Provider (ISP2)
for internet access. Fastethernet 0/0 was assigned the IP 200.1.2.2 and a subnet mask 255.255.255.0.A
no shutdown command was issued on each of the configured interface to activate the interfaces.
A tunnel interface (tunnel 0) on router 1 and router 2 which will be used to transport GRE packets from
router 1 and router 2 was configured with the IP 12.12.12.1 and 12.12.12.2 respectively. Tunnel 0 was
virtualized with the physical interface fast ethernet 0/0 to transport packets flow through the physical
interface connected to the Internet Service Provider (ISP). The command tunnel source 20.1.1.1 and a
tunnel destination 200.1.2.2 was issued on both routers to connect the tunnel (tunnel 0) interface to the
physical interface to transport packets to the ISP. Configured tunnel 0 on router 1 and router 2 will be
the transport medium to forward all VPN traffic through the ISPs network.
ISP (Internet Service Provider) network as shown in figure 14was simulated with two routers, ISP1 and
ISP2. ISP 1 has two interfaces, interface fastethernet 0/0 and interface serial 1/0.Interface fastethernet
8 | 2015, IJAFRC All Rights Reserved
www.ijafrc.org
Router eigrp 1
Network 10.0.0.0
Network 12.0.0.0
Network 192.168.0.0
The command router eigrp 1 enables and activates Enhanced Interior Gateway Routing Protocol (eigrp)
under one (1)Autonomous System on router 1, the command network 10.0.0.0,12.0.0.0.192.168.0.0
advertises the network which is directly connected torouter 1, to the ISP1 network.
The command router eigrp1
Network 12.0.0.0
Network 2.0.0.0
Network 192.168.0.0
The command router eigrp 1 enables and activates Enhances Interior Gateway Routing Protocol under
one (1) Autonomous System on router 2, the command network 12.0.0.0, 2.0.0.0 , 192.168.0.0 advertises
the network which is directly connected to router 2, to the ISP2 network. Configuring autonomous
system enables EIGRP to be under one administrative control.
Configuring Routing Protocol On ISP Routers.
The simulated network has two routers which establish connectivity to both clients (router 1 and router
2). Routing Information Protocol version 2 (RIP,v2) was configured on the ISPs routers. This enables the
ISP router receives network advertisement from router 1 and router 2 network.ISP1 router has two main
9 | 2015, IJAFRC All Rights Reserved
www.ijafrc.org
www.ijafrc.org
www.ijafrc.org
IKE phase 2 is configured using the IPSec transform set. TheIPSec transform set is another crypto
configuration parameter that routers negotiate to form a security association. Routers will compare their
transform sets to the remote peer until they find a transform set that matches exactly.
Configuration of the Interesting Traffic
Now that most of the encryption settings are configured, extended access was defined lists to tell the
router which traffic to encrypt. Like other access lists used to define interesting traffic rather than
packet filtering, permit and deny do not have the usual meaning of a filtering access list. A packet which is
permitted by an access list used for defining IPSec traffic will get encrypted if the IPSec session is
configured correctly. A packet that is denied by one of these access lists will not be dropped; it will be
sent unencrypted. Also, like any other access list, there is an implicit denialat the end, which in this case
means the default action is not to encrypt traffic. If there is no IPsec security association correctly
configured, then no traffic will be encrypted, but traffic will be forwarded as unencrypted traffic. Router 1
and router 2 were configured with the following command:
R1(config)# ip access-list extended KNUST
R1(config)# permit ip 12.12.0.0 0.0.255.255 12.12.0.0 0.0.255.255
R1(config)# ip access-list extended KNUST
R1(config)# permit ip 12.12.0.0 0.0.255.255 12.12.0.0 0.0.255.255
In this configuration, the traffic l want to be encrypted is the GRE tunnel traffic which was configured
with the IP address 12.12.12.0/24.The access-list was configured with a name KNUST to only allow traffic
going through the GRE tunnel 0 encrypted with IPSec.
Configuration And Application of Crypto Map
Router 1 and router 2 were configured with the following commands:
R1(config)#crypto map VPN_MAP 15 ipsec-isakmp
R1(config-crypto-map)# set peer 200.1.2.2
R1(config-crypto-map)# set transform set LAB
R1(config-crypto-map)# lifetime 900
R2(config)#crypto map VPN_MAP 15 ipsec-isakmp
R2(config-crypto-map)# set peer 200.1.1.1
R2(config-crypto-map)# match address KNUST
R2(config-crypto-map)# set transform set LAB
R2(config-crypto-map)# lifetime 900
A crypto map is a mapping that associates traffic matching an access list (like the one I created earlier) to
a peer and various IKE and IPsec settings. Crypto maps can have multiple map statements, so you can
have traffic that matches a certain access list being encrypted and sent to one IPsec peer, and have other
traffic that matches a different access list being encrypted towards a different peer. After a crypto map is
created, it can be applied to one or more interfaces. The interface(s) that it is applied to should be the
www.ijafrc.org
The interface that need to be secured is the GRE tunnel interface. The cryptographic map was applied to
the tunnel (tunnel 0) interface to secure traffic from router 1through ISPs network to router 2. Router 1
and 2 were configured with the following commands:
R1(config)# interface tunnel 0
R1(config)#crypto map VPN_MAP
R2(config)# interface tunnel 0
R2(config)#crypto map VPN_MAP
XIII.
www.ijafrc.org
Wireshark was used to capture traffic between the clients connected to router one (1) through the ISPs
network. The highlighted session in green depicts packet sent from a source tunnel network with an IP
address 200.1.2.2 to a destination network 200.1.1.1 has being secured by the Encapsulation Security
Protocol (ESP).The highlighted session in red is the interior routing protocol configured on the ISP
network to exchange hello packets among the router for a best path selection. Any conversation
between the two routers through the tunnel network traversing over the ISPs network cannot be seen or
intercepted by a third party.ESP protocol are the only packets being exchanged on the ISPs network.ESP
encapsulates all TCP packets before transporting the packets through the tunnel network (tunnel 0)
www.ijafrc.org
The use of GRE over IPSec VPN technology can further be used to establish Network connectivity instead
of establishing Wide Area Connection through satellite medium or outsourced to service providers.
Internet Protocol Security (IPSec) VPN(Virtual Private Network) mainly supports unicast traffic but a
simulated study on this paper revealed that multicast traffic can operate securely over the Generic
Routing Encapsulation (GRE) tunnel network when secured with Internet Protocol Security (IPSec).HTTP
and any other TCP packets can securely be sent through a secured VPN tunnel without the Service
provider knowing the type of packets being sent across their network because the service provider only
see Encapsulated Security Payload (ESP) packets on their network but not the content of the ESP packets
traversing over their network.
15 | 2015, IJAFRC All Rights Reserved
www.ijafrc.org
Hanks S., Li, T., Farinaci,P. Traina, D Generic Routing Encapsulation over IPv4 networks,Cisco
Systems, October 1994,rfc1702
[2]
[3]
[4]
[5]
Hanks S., Li, Farinaci,P. Traina, D Generic Routing Encapsulation over IPv4 networks Juniper
Networks,March 2000.rfc2784
Farinacci, D., Traina, P., Hanks, S., & Li, T. (1994).Generic routing encapsulation (GRE).retrieved
from http://xml2rfc.tools.ietf.org/html/rfc1701.
Christian, P. Generic Routing Encapsulation over CLNS Networks.RFC-3147,July 2001.retrieved
from http://www.hjp.at/doc/rfc/rfc3147.html.
Kent, S., & Atkinson, R. (1998). Security architecture for the internet protocol retrieved from
http://www.hjp.at/doc/rfc/rfc2401.html.
[6]
[7]
Madson, C., & Glenn, R. (1998) The use of HMAC-MD5-96 within ESP and AH,1998 retrieved
from http://tools.ietf.org/html/rfc2403.
Karn, P., Simpson, W. A., & Metzger, P.). The esp des-cbc transform 1995. retrieved from
http://tools.ietf.org/html/rfc1829.
[8]
[10]
[11]
[12]
Atkinson, R., & Kent, S. (1998). IP encapsulating security payload (ESP),retrieved from
http://tools.ietf.org/html/rfc2406
[13]
Harkins, D., & Carrel, D. (1998). The internet key exchange (IKE). RFC 2409, november.ISO/IEC
17799, (2005) Information technology -- Security techniques -- Code of practice for information
security management.
[14]
Yang, W., Li, C. D., Chang, G. R., Yao, Y., &Shen, X. M. (2011). The Effect of P 2 P - Based Work
Propagation in an IPv6 Internet. Procedia Engineering, 15, 3637-3641.
[15]
[16]
Matthews, G. A., & Feinstein, B. S. (2007). The Intrusion Detection Exchange Protocol
(IDXP).retrieved from http://tools.ietf.org/html/rfc4767.
authentication
retrieved
Group,
[9]
IP
68,
Working
header,retrieved
from
from
www.ijafrc.org
Orman, H., The OAKLEY Key Determination Protocol Department of Computer Science.
university of Arizona,Novemeber,1998,(rfc2412).
www.ijafrc.org