Tunneling

Friday, June 11, 2010

Tunneling is a way in which data is transferred between two networks securely. All the data that is being transferred are fragmented into smaller packets or frames and then passed through the tunnel. This process is different from a normal data transfer between nodes. Every frame passing through the tunnel will be encrypted with an additional layer of tunneling encryption and encapsulation which is also used for routing the packets to the right direction. This encapsulation would then be reverted at the destination with decryption of data which is later sent to the desired destined node.

A tunnel is a logical path between the source and the destination endpoints between two networks. Every packet is encapsulated at the source will be de-capsulated at the destination. This process will keep happening as long as the logical tunnel is persistent between the two endpoints.

Tunneling Protocols

The Windows Server 2003 family supports the following tunneling protocols for secure communication:

  • Point-to-Point Tunneling Protocol (PPTP)
    • PPTP employs user-level PPP authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption.
    • PPTP uses TCP1723 and Protocol 47 (GRE).
    • PPTP uses only NTLM authentication.
    • PPTP provides 56 bit or 128 bit Microsoft Point-to-Point Encryption (MPPE).
  • Layer Two Tunneling Protocol (L2TP)
    • L2TP is an industry-standard Internet tunneling protocol with roughly the same functionality as the Point-to-Point Tunneling Protocol (PPTP). Based on the Layer Two Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP) specifications, you can use L2TP to set up tunnels across intervening networks. Like PPTP, L2TP encapsulates Point-to-Point Protocol (PPP) frames, which then encapsulate IP or IPX protocols, allowing users to remotely run programs that are dependent on specific network protocols.
    • L2TP uses the UDP 1701.
    • L2TP does not provide any encryption by itself.
  • L2TP with Internet Protocol security (L2TP/IPSec)
    • L2TP/IPSec employs user-level PPP authentication methods over a connection that is encrypted with IPSec. IPSec requires host authentication using either the Kerberos protocol, shared secret or computer-level certificates.
    • L2TP with IPSec uses UDP 500 = ISAKMP, Protocol 50 = Encapsulated Security Payload (ESP) and possibly Protocol 51 = Authentication Header (AH).
    • L2TP/IPSec uses both Mutual authentication and NTLM authentication.
    • IPSec provides DES (56 bit) and 3DES (168 bit) encryption.

How Tunneling Works

As we know VPN connection are of two type, PPTP (Point-to-Point tunneling protocol) and L2TP (Layer 2 tunneling protocol). Both PPTP and L2TP tunnels are nothing but local sessions between two different endpoints. Incase they have to communicate then the tunneling type must be negotiated between the endpoint, either PPTP or L2TP and then more configurable parameters like encryption, address assignment, compression etc must be configured in order to get the best possible security over the internet based private logical tunnel communication. This communication is created, maintained and terminated using a tunnel management protocol.

Data can be sent once the tunnel is in place and clients or server can use the same tunnel to send and receive data across the internetwork. The data transfer depends upon the tunneling protocols being used for the transfer. For example, whenever the client wants to send data or payload (the packets containing data) to the tunneling server, the tunnel server adds a header to each packet. This header packet contains the routing information which informs the packet about the destination across the internetwork communication. Once the payload is received at the destination, the header information is verified. After which destination tunnel server sends the packet to the destined node or client or server.

Point-to-Point Protocol (PPP)

It is very obvious that the PPTP and L2TP protocoasl arefully dependent upon PPP connection and it is very much important to understand and examine PPP a little more closely. Initially PPP was designed to work with only dial-up connections or dedicated connections. If the data transfer is happening over PPP connection, then the packets going over PPP are encapsulated within PPP frames and then send across or transmitted over to the destination dial-up or PPP server.

There are four distinct phases of negotiation in a PPP connection. Each of these four phases must complete successfully before the PPP connection is ready to transfer user data.

  • Phase 1: PPP Link Establishment First step is where PPP uses the LCP or Link Control Protocol to connect to the destination network. Apart from establishing the connection, LCP is also responsible for maintaining and terminating the connection too. Take for example, during this phase 1, LCP connects to the destination and prepares the authentication protocol which will be used in phase 2. Next step would be to negotiate and find out if these two nodes in a PPP connection would agree on any compression or encryption algorithm. If the answer is yes then the same is be implemented in Phase 4.
  • Phase 2: A User Authentication Second step is where the user credentials are sent to the remote destination for authentication. There are different secure authentication program. The secure method of authentication must be used to safeguard the user credentials. If you are using PAP (password Authentication Protocol) for authorizing user credential, the user information is passed in plain clear text which can be captured easily. This is the only time when the user must take utmost care in handling his/her credential from any theft. If for any reason these credentials were captured by the intruder, and then once the user connection is authenticate, the intruder will traps the communication, disconnect the original user and takes control of the connection.
  • Phase 3: PPP Callback Control The Microsoft implementation of PPP includes an optional callback control phase. This phase uses the Callback Control Protocol (CBCP) immediately after the authentication phase. If configured for callback, both the remote client and NAS disconnect after authentication. The NAS then calls the remote client back at a specified phone number. This provides an additional level of security to dial-up connections. The NAS allows connections from remote clients physically residing at specific phone numbers only. Callback is only used for dial-up connections, not for VPN connections.
  • Phase 4: Invoking Network Layer Protocol(s) Once the previous phases have been completed, PPP invokes the various network control protocols (NCPs) that were selected during the link establishment phase (Phase 1) to configure protocols used by the remote client. For example, during this phase, IPCP is used to assign a dynamic address to the PPP client. In the Microsoft implementation of PPP, the Compression Control Protocol (CCP) is used to negotiate both data compression (using MPPC) and data encryption (using MPPE).

Data-Transfer

Once the four phases of PPP negotiation have been completed, PPP begins to forward data to and from the two peers. Each transmitted data packet is wrapped in a PPP header that is removed by the receiving system. If data compression was selected in phase 1 and negotiated in phase 4, data is compressed before transmission. If data encryption is selected and negotiated, data is encrypted before transmission. If both encryption and compression are negotiated, the data is compressed first, and then encrypted.

Point-to-Point Tunneling Protocol (PPTP)

PPTP encapsulates PPP frames in IP datagram for transmission over an IP internetwork, such as the Internet. PPTP can be used for remote access and router-to-router VPN connections.

PPTP or Point-to-Point tunneling protocol works over TCP port which is also used for tunnel management and GRE or Generic Routing Encapsulation protocol to encapsulat any PPP frames which will later be used in sending data through the tunnel. Compression or encryption will depend on the tunnel configuration.

Layer Two Tunneling Protocol (L2TP)

L2TP was first proposed by Cisco Systems Inc which used a combination Layer 2 Forwarding (L2F) with PPTP. The IP frames can be encapsulated by L2TP to be sent over X.25, FR (Frame Relay), ATM (Asynchronous Transfer Mode) networks. And L2TP based IP tunnel over the internet is the safest way of data transfer today which uses the compression and/or encryption as required to protect the data from intruders.