GRE Tunneling over IPsec
Generic routing encapsulation (GRE) tunnels have been around for quite some time. GRE was first developed by Cisco as a means to carry other routed protocols across a predominantly IP network. Some network administrators tried to reduce the administrative overhead in the core of their networks by removing all protocols except IP as a transport. As such, non-IP protocols such as IPX and AppleTalk were tunneled through the IP core via GRE. GRE adds a new GRE header to the existing packet. This concept is similar to IPsec tunnel mode. The original packet is carried through the IP network, and only the new outer header is used for forwarding. Once the GRE packet reaches the end of the GRE tunnel, the external header is removed, and the internal packet is again exposed. Today, multiprotocol networks have mostly disappeared. It is difficult to find traces of the various protocols that used to be abundant throughout enterprise and core infrastructures. In a pure IP network, GRE was initially seen as a useless legacy protocol. But the growth of IPsec saw a rebirth in the use of GRE in IP networks. This chapter talks about the use of GRE in an IPsec environment. “Do I Know This Already?” Quiz The purpose of the “Do I Know This Already?” quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 15-question quiz, derived from the major sections in the “Foundation Topics” portion of the chapter, helps you to determine how to spend your limited study time. Table 14-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?” quiz questions that correspond to those topics. 150x01x.book Page 327 Monday, June 18, 2007 8:52 AM 328 Chapter 14: GRE Tunneling over IPsec 1. What is the minimum amount of additional header that GRE adds to a packet? a. 16 bytes b. 20 bytes c. 24 bytes d. 36 bytes e. 48 bytes 2. Which of the following are valid options in a GRE header (select all that apply)? a. GRE Header Length b. Checksum Present c. Key Present d. External Encryption e. Protocol 3. What is the purpose of a GRE tunnel interface? a. It is always the tunnel source interface. b. It is always the tunnel destination interface. c. It is where the protocol that travels through the tunnel is configured. d. It is the interface that maps to the physical tunnel port. e. It is not used today. Table 14-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping Foundation Topics Section Questions Covered in This Section Score GRE Characteristics 1 GRE Header 2 Basic GRE Configuration 3 Secure GRE Tunnels 4–5 Configure GRE over IPsec Using SDM 6–15 Total Score CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of self-assessment. Giving yourself credit for an answer that you correctly guess skews your self-assessment results and might provide you with a false sense of security. 150x01x.book Page 328 Monday, June 18, 2007 8:52 AM “Do I Know This Already?” Quiz 329 4. When IPSec transport mode is used, how many IP headers are found in the GRE over IPsec packet? a. One—the original IP header is replicated when needed. b. Two—the original IP header and the GRE IP header. c. Two—the original IP header and the IPsec IP header. d. Three—the original IP header, the GRE IP header, and the IPsec IP header. e. Four—the original IP header, the GRE IP header, the IPsec IP header, and the outer IP header. 5. What feature does GRE introduce that cannot be accomplished with normal IPsec? a. GRE increases the packet size so that the minimum packet size is easily met. b. GRE adds robust encryption to protect the inner packet. c. GRE requires packet sequencing so that out-of-order packets can be reassembled correctly. d. GRE adds an additional IP header to further confuse packet-snooping devices. e. GRE permits dynamic routing between end sites. 6. What are the basic components within the Secure GRE Wizard (select all that apply)? a. Router interface configuration b. GRE tunnel configuration c. IPsec parameters configuration d. Router authentication configuration e. Routing protocols configuration 7. What is the IP address inside of the GRE tunnel used for? a. The GRE tunnel peering point. b. The IPsec tunnel peering point. c. The routing protocols peering point. d. The management interface of the router. e. There is no IP address inside of the GRE tunnel. 8. Which option must be configured if a backup secure GRE tunnel is configured? a. Source interface b. Source IP address c. Destination interface d. Destination IP address e. Destination router name 150x01x.book Page 329 Monday, June 18, 2007 8:52 AM 330 Chapter 14: GRE Tunneling over IPsec 9. What methods are available for VPN authentication when used with a GRE tunnel (select all that apply)? a. Digital certificates b. Pre-shared keys c. Biometrics d. OTP e. KMA 10. When creating/selecting an IKE proposal, what does the Priority number indicate? a. The Priority number is a sequence number. b. The Priority number determines the encryption algorithm. c. The Priority number helps determine the authentication method. d. The Priority number is related to the Diffie-Hellman group. e. The Priority number is necessary to select the hash algorithm. 11. How are IPsec transform sets used in the Secure GRE Wizard? a. There must be a unique IPsec transform set for each VPN peer. b. There must be a unique IPsec transform set for each GRE tunnel. c. The two ends of a VPN must use the same IPsec transform set. d. The same IPsec transform set can be used for all VPN peers. e. Site-to-site IPsec VPN transform sets cannot be used for GRE over IPsec VPNs. 12. Which dynamic routing protocols can be configured in the GRE over IPsec tunnel (select all that apply)? a. RIP b. OSPF c. EIGRP d. BGP e. Static 13. Which routing options are appropriate when using both a primary and a backup GRE tunnel (select all that apply)? a. RIP b. OSPF c. EIGRP d. BGP e. Static
Foundation Topics GRE Characteristics
The initial power of GRE was that anything could be encapsulated into it. The primary use of GRE was to carry non-IP packets through an IP network; however, GRE was also used to carry IP packets through an IP cloud. Used this way, the original IP header is buried inside of the GRE header and hidden from prying eyes. The generic characteristics of a GRE tunnel are as follows: ■ A GRE tunnel is similar to an IPsec tunnel because the original packet is wrapped inside of an outer shell. ■ GRE is stateless, and offers no flow control mechanisms. ■ GRE adds at least 24 bytes of overhead, including the new 20-byte IP header. ■ GRE is multiprotocol and can tunnel any OSI Layer 3 protocol. ■ GRE permits routing protocols to travel through the tunnel. ■ GRE was needed to carry IP multicast traffic until Cisco IOS Software Release 12.4(4)T. ■ GRE has relatively weak security features. The GRE tunnel itself is similar to an IPsec tunnel. The tunnel has two endpoints. Traffic enters one end of the tunnel and exits the other end. While in the tunnel, routers use the new outer header only to forward the packets. The GRE tunnel is stateless. Unlike an IPsec tunnel, the endpoints do not coordinate any parameters before sending traffic through the tunnel. As long as the tunnel destination is routable, traffic can flow through it. Also, by default, GRE provides no reliability or sequencing. Such features are typically handled by upper-layer protocols. GRE tunnels offer minimal security, whereas IPsec offers security by means of confidentiality, data authentication, and integrity assurance. GRE has a basic encryption mechanism, but the key is carried along with the packet, which somewhat defeats the purpose. GRE does add an additional 24-byte header of overhead. This overhead contains a new 20-byte IP header, which indicates the source and destination IP addresses of the GRE tunnel. The remaining 4 bytes are the GRE header itself. Additional GRE options can increase the GRE header by up to another 12 bytes. 150x01x.book Page 332 Monday, June 18, 2007 8:52 AM GRE Header 333 It is important to note that the larger packet size caused by the additional headers can have a detrimental effect on network performance. Because the additional headers are dynamically added, most users believe that nothing “bad” can happen as a result. If a packet is larger than the interface maximum transmission unit (MTU) permits, the router must fragment the packet into smaller pieces to fit. This fragmentation effort can add significant CPU overhead to a router, which can affect all packet forwarding. GRE is a simple yet powerful tunneling tool. It can tunnel any OSI Layer 3 protocol over IP. As such, it is basically a point-to-point private connection. A private connection between two endpoints is the basic definition of a VPN. Unlike IPsec, GRE permits routing protocols (such as OSPF and EIGRP) across the connection. This is not the case with typical IPsec tunnels. IPsec tunnels can send IP packets, but not routing protocols. Before the IP packets can travel through the IPsec tunnel, however, static routes are necessary on each IPsec endpoint for routing awareness of the opposite end. This additional configuration overhead does not scale well with a large number of IPsec tunnels. Until Cisco IOS Software Release 12.4(4)T, IP multicast had to be sent over GRE. Prior to this IOS release, IPsec could not carry IP multicast traffic. Even though IOS 12.4(4)T now supports IP multicast traffic, GRE over IPsec still must be used to carry dynamic routing protocols. GRE does not have any strong security features. The header provides an optional, albeit weak, security key mechanism. As a result, no strong confidentiality, data source authentication, or data integrity mechanisms exist in GRE. However, IPsec provides confidentiality (DES, 3DES, or AES), and source authentication and data integrity with MD5 or SHA-1 HMACs. Thus, a GRE tunnel, which carries multicast and routing traffic, can be sent through an IPsec tunnel for enhanced security.
GRE Header
The GRE header itself contains 4 bytes, which represent the minimum size of GRE header with no added options. The first pair of bytes (bits 0 through 15) contains the flags that indicate the presence of GRE options. Such options, if active, add additional overhead to the GRE header. The second pair of bytes is the protocol field and indicates the type of data that is carried in the GRE tunnel. Table 14-2 describes the GRE header options. 150x01x.book Page 333 Monday, June 18, 2007 8:52 AM 334 Chapter 14: GRE Tunneling over IPsec The Checksum Present option (bit 0) adds an optional 4-byte checksum field to the GRE header. This checksum appears after the protocol field in the GRE header only if the Checksum Present bit is set. Normally, this option is not needed because other upper-layer protocols provide checksum capabilities to detect packet corruption. The Key Present option (bit 2) adds an optional 4-byte key field to the GRE header. This clear-text key follows the checksum field. The key is used to provide basic authentication where each GRE endpoint has the key. However, the key itself is exposed in the GRE header. Due to this vulnerability, GRE encryption is not typically used. However, the key value can be used to uniquely identify multiple tunnels between two endpoints. This would be similar to an IPsec SPI. The Sequence Number option (bit 3) adds an optional 4-byte sequence number field to the GRE header. This sequence value follows the key option. This option is used to properly sequence GRE packets upon arrival. Similar to the checksum option, this is not typically used because upper-layer protocols also offer this functionality. Bits 13–15 indicate the GRE version number. 0 represents basic GRE, while 1 shows that the Point-to-Point Tunneling Protocol (PPTP) is used. PPTP is not covered in this book. The second 2 bytes of the GRE header represent the Protocol field. These 16 bits identify the type of packet that is carried inside the GRE tunnel. Ethertype 0x0800 indicates IP. Figure 14-1 shows a GRE packet with all options present added to an IP header and data.