performance analysis on the security of generic routing encapsulation (gre) over isp's network

7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network

1/16

International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+

1 - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.

erformance Analsis on the %ecurit of 3eneric Routin.

4ncapsulation (3R4) V4R I%5% &et/or6%eth Alorno1and 7ichael Asante2

1

I$C$8 9irectorate, :oforidua oltechnic2Computer %cience 9epartment, :&;%8, :umasi1!i.seth10


2/16


2 - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.

customers who are not concerned aout the internal tunnelin$ architecture at the ISP end. Customers

then ha#e the %le)iilit! to con%i$ure or recon%i$ure their IP architecture ut still maintain connecti#it!. It

creates a #irtual point+to+point link to routers at remote points o#er an IP internetwork-,/.

II$ 34&4RIC R;8I&3 4&CA%;EA8I&

Generic routin$ encapsulation 'GRE( is a tunnelin$ protocol de%ined in R2C -34/ and R2C /351. It was

ori$inall! de#eloped ! Cisco S!stems %or creatin$ a #irtual point+to+point link to Cisco routers at remote

points o#er an IP internetwork 6, 7, 3. GRE supports multiprotocol tunnelin$. It can encapsulate

multiple protocol packet t!pes inside an IP tunnel. *ddin$ an additional GRE header etween the pa!load

and the tunnelin$ IP header pro#ides the multiprotocol %unctionalit!. IP tunnelin$ usin$ GRE enales

network e)pansion ! connectin$ multiprotocol su+networks across a sin$le+protocol ackone

en#ironment. GRE also supports IP multicast tunnelin$. Routin$ protocols that are used across the tunnel

enale d!namic e)chan$e o% routin$ in%ormation in the #irtual network 5 8.

III$

>A%IC 3R4 I 4A94R CARAC84RI%8IC

2i$ure - depicts the %ormat o% a GRE header in a network packet tra#ersin$ o#er a network. The GRE

header is encapsulated in a pa!load %ound in etween the source and destination IP header. These

pa!loads do not add an! securit! protocol in the IP header hence renders the GRE packet not a secured

medium %or communication 8, -4.

3R4 fla.sDThe GRE %la$s are encoded in the %irst two octets. 9it 4 is the most si$ni%icant it, and it -6 is

the least si$ni%icant it. Some o% the GRE %la$s include the %ollowin$:

Chec6sum resent (!it 0)DI% the Checksum Present it is set to -, the optional checksum %ield is

present in the GRE header.

:e resent (!it 2)DI% the ;e! Present it is set to -, the optional ;e! %ield is present in the GRE

header.

%eBuence &um!er resent (!it ')DI% the Se


3/16


' - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.

e)tended GRE headers also do not pro#ide the securit! needed to secure data transmission -/, -0,

-1.

8unnel chec6sumD The tunnel checksum detects packet corruption. This option is not used o%ten

ecause checksums are used on other la!ers in the protocol stack, t!picall! to ensure the accurac! o% the

GRE packets.

8unnel 6eDCan e used %or two purposes:

The tunnel ke! can e used %or asic plainte)t authentication o% packets in which onl! the two GRE

endpoints share a secret numer that enales the tunnel to operate properl!. Howe#er, an!one in the

packet path can easil! see the ke! and e ale to spoo% tunnel packets. * more common use o% the tunnel

ke! is when two routers want to estalish parallel tunnels sourced %rom the same IP address. The tunnel

ke! is then used to distin$uish etween GRE packets elon$in$ to di%%erent tunnels.

8unnel seBuence num!erD This numer is used to ensure that GRE packets are accepted onl! i% the

packets arri#e in the correct order. The main %unction o% GRE is to pro#ide power%ul !et simple tunnelin$.

GRE supports an! &SI =a!er 0 protocol as pa!load, %or which it pro#ides #irtual point+to+point

connecti#it!. GRE also allows the use o% routin$ protocols across the tunnel --, -/, -0,

-6,-7,-3.The main limitation o% GRE is that it lacks an! securit! %unctionalit!. GRE onl! pro#ides

asic plainte)t authentication usin$ the tunnel ke!, which is not secure, and tunnel source and

destination addresses.

Fi.ure 2D 4@tended 3R4 header (Adapted from Cisco %stems, 2010)

V$ 7489E3G

The method adopted in this work is the structural desi$n and the simulation o% GRE tunnel network.GNS0

so%tware was used to simulate the network with Cisco routers runnin$ ori$inal Internetwork &peratin$

S!stem 'I&S(. Network de#ice con%i$uration and penetration testin$ can e estalished when usin$ GNS0.

Routers used in the simulation are Cisco routers. Comparati#e anal!sis and penetration testin$ was done

to check the securit! le#el o% a GRE tunnels. &pen source Network Protocol *nal!>er 'wireshark( '&pen

source Network Protocol *nal!>er -7 was used to capture tra%%ic tra#ersin$ o#er the Ser#ice Pro#ider

network %or %urther anal!sis and interpretation.

%imulated Virtual Ea!

In the simulated #irtual la, a site+to+site GRE tunnel VPN was con%i$ured with Cisco routers runnin$ I&S

'Internetwork &peratin$ S!stem( #ersion -/.1. &nce con%i$ured, the VPN tra%%ic etween Router - on


4/16


- 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.

inter%aces Router - and Router / was captured usin$ wireshark %or %urther processin$ and anal!sis. Each

o% the simulated networks connects to an Internet Ser#ice Pro#ider 'ISP(.The Internet Ser#ice Pro#ider

onl! pro#ides internet suscription to the client 'institution(.The simulated network will pro#ide

institutional connecti#it! to remote sites o#er the internet. * stud! into Ser#ice Pro#iders network

architectural desi$n outline certain con%i$uration parameters which allows internet suscription %rom

client and other IP ser#ices hosted ! the Ser#ice Pro#ider. This paper has simulated those architectural

desi$ns o% Ser#ice Pro#iders to allow connecti#it! to client.

2i$ure 0 illustrates the topolo$ical simulated network used to desi$n the network in%rastructure. The ISP

has two routers 'ISP- and ISP /(.ISP - connects router - and ISP / connects router /. Router - and / are

considered as the ed$e routers and a client to the ISP. The ISP has a serial connection %rom ISP - to

ISP/.ISP - connects its ed$e router throu$h a %astethernet 4?4 inter%ace and ISP/ connects its ed$e

router throu$h a %astethernet 4?4 inter%ace. The ISP pro#ides onl! internet access to router - and /'ed$e

de#ices(. * #irtual cloud adaptor %rom %i$ure 1 was used to #irtuali>ed the ph!sical inter%ace o% a laptop

network adaptor to a =oopack adaptor inter%ace. This #irtuali>ation enaled a laptop adaptor to e part

o% the simulated network.

Fi.ure 'D %imulated 3R4 tunnel net/or6 (Authors)

VI$ C&FI3;RA8I& F 84 &48HR: I&84RFAC4 A99R4%%4% (%84 &4)

* loopack and a tunnel inter%ace was con%i$ured on router - and router / %astethernet and the serial

inter%aces. 2astethernet 4?4 on router - was con%i$ured with the IP address /44.-.-.- and a sunet

mask /66./66./66.4.The IP address con%i$ured on %astethernet 4?4 is the out ound inter%ace connected

to the ser#ice pro#ider 'ISP-( %or internet access. =oopack inter%ace 4 was con%i$ured with the IPaddress -.-.-.- and a sunet mask /66./66./66.4.The loopack inter%ace represent all internal hosts

connected to router -. Router / was also con%i$ured with the same parameters. The loopack inter%ace

was assi$ned the IP /./././ and a sunet mask /66./66./66.4.2astethernet 4?4 connects to Internet

Ser#ice Pro#ider 'ISP/( %or internet access. 2astethernet 4?4 was assi$ned the IP /44.-././ and a sunet

mask /66./66./66.4.* @no shutdownA command was issued on each o% the con%i$ured inter%ace to

acti#ate the inter%aces.

* tunnel inter%ace 'tunnel 4( on router - and router / which will e was to transport GRE packets %rom

router - and router / which was con%i$ured with the IP -/.-/.-/.- and -/.-/.-/./ respecti#el!. Tunnel 4

was #irtuali>ed with the ph!sical inter%ace %astethernet 4?4 to transport packets %low throu$h theph!sical inter%ace connected to the Internet Ser#ice Pro#ider 'ISP(. The command @tunnel source

/4.-.-.- and a tunnel destination /44.-././A was issued on oth routers to connect the tunnel 'tunnel 4(

inter%ace to the ph!sical inter%ace to transport packets to the ISP. Con%i$ured tunnel 4 on router - and


5/16


# - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.

router two '/( will e the transport medium to %orward all VPN tra%%ic throu$h the ISPBs network.ISP

'Internet Ser#ice Pro#ider( network as shown in %i$ure -1 was simulated with two routers, ISP- and

ISP/. ISP - has two inter%aces, inter%ace %astethernet 4?4 and inter%ace serial -?4.Inter%ace %astethernet

4?4 connects router - and inter%ace serial -?4 connects ISP /. 2astethernet 4?4 was con%i$ured on ISP -

router with the IP address /44.-.-./ and a sunet mask /66./66./66.4,inter%ace serial 4?4 also

con%i$ured with the IP address /44.--.//.- with sunet mask /66./66./66./6.Each con%i$ured inter%aces

were issued with the command @no shut downA to acti#ate the inter%aces.ISP/ router has two inter%aces,

inter%ace %astethernet 4?4 and inter%ace serial -?4.Inter%ace %astethernet 4?4 connects router - and serial

-?4 connects ISP/ serial inter%ace -?4. Inter%ace %astethernet 4?4 was con%i$ured with the IP address

/44.-.-.- with a sunet mask /66./66./66.4 and inter%ace serial -?4 with an IP address /44.--.//./

sunet /66./66./6/.* @no shut down commandA was issued on each inter%aces to acti#ate the inter%ace.

VII$ C&FI3;RA8I& F R;8I&3 R8CE & CEI4&8 R;84R%(%842)

In order to maintain connecti#it! etween remote networks, EIGRP was con%i$ured to route packets

etween all networks in the dia$ram. *ll connected sunets were added into the EIGRP autonomous

s!stem on e#er! router. The command:

Router ei$rp -

Network -4.4.4.4

Network -/.4.4.4

Network -8/.-75.4.4

The command @router ei$rp -A enales and acti#ates Enhanced Interior Gatewa! Routin$ Protocol

'ElGRP( under one '-( *utonomous S!stem on router one '-(, the command network

-4.4.4.4,-/.4.4.4.-8/.-75.4.4 ad#ertises the network which is directl! connected to router -, to the ISP

one '-( network.The command @router ei$rp-

Network -/.4.4.4

Network /.4.4.4

Network -8/.-75.4.4

The command @router ei$rp -A enales and acti#ates Enhances Interior Gatewa! Routin$ Protocol under

one '-( *utonomous S!stem on router /, the command network -/.4.4.4, /.4.4.4 , -8/.-75.4.4 ad#ertises

the network which is directl! connected to router /, to the ISP/ network. Con%i$urin$ autonomous

s!stem enales ei$rp to e under one administrati#e control.

VIII$ C&FI3;RI&3 R;8I&3 R8CE & I% R;84R%(%84')

The simulated network has two routers which estalish connecti#it! to oth clients 'router - and router

/(. Routin$ In%ormation Protocol #ersion / 'RIP,#/( was con%i$ured on the ISPBs routers. This enales the

ISP router recei#es network ad#ertisement %rom router - and router / network.ISP- router has two main

inter%aces, inter%ace %astethernet 4?4 and inter%ace serial 4?-.Inter%ace %astethernet 4?4 is directl!

connected to router -and inter%ace serial 4?- connected to ISP/ network. ISP - router was con%i$ured

with the command

Router rip #ersion /

Network /44.-.-.4

Network /44.--.//.4


6/16



ISP / router has two main inter%aces, inter%ace %astethernet4?4 and serial 4?-.Inter%ace %astethernet 4?4

is connects router / and inter%ace serial 4?- connects to ISP / network. ISP / router was con%i$ured with

the command

Router rip #ersion /

Network /44.-./.4

Network /44.--.//.4

Networks ad#ertised on ISPBs router are networks which are connected to inter%ace %astethernet 4?4 to

router - and inter%ace serial 4?4 to ISP/ inter%ace. Networks ad#ertised on ISP/ router are networks

which connected to inter%ace %astethernet 4?4 to router / and inter%ace serial 4?4 to ISP-.

* pin$ command was issued %rom router - to the #arious con%i$ured inter%ace to #eri%! that connecti#it!

across local sunets usin$ the pin$ command was reachale. *ll pin$ commands sent were all success%ul.

Step one '-( to step three '0( are the processes used to simulate the GRE tunnel %rom router - throu$h

the ISPBs network to router /.

I$ &48HR: I&84RFAC4 794%(I&84RFAC4 4RA8I& & R;84R &4)

The command Dshow ip inter%ace rie%B was issued on router one '-( and the output shown in %i$ure 1

was otained. 2astethernet 4?4 with an IP address /44.-.-.- connects to the ISP one '-( network which

shows that the interconnecti#it! etween the client router and the ser#ice pro#ider is acti#e 'up( whiles

the protocol supportin$ the inter%ace is also acti#e 'up(.Inter%ace tunnel 4 con%i$ured %or Generic Routin$

Encapsulation 'GRE( is also acti#e 'up(.

2i$ure 1: Inter%ace Con%i$uration &peration '*uthors(

Interface Confi.uration peration n Router 8/o (2)

The command Dshow ip inter%ace rie%B was issued on router two 'R/( and the output shown in %i$ure 6.

2astethernet 4?4 with an IP address /44.-.-./ connects to the ISP two 'ISP /( network which shows that

the interconnecti#it! etween the client router and the ser#ice pro#ider is acti#e 'up( whiles the protocol

supportin$ the inter%ace is also acti#e 'up(.Inter%ace tunnel 4 con%i$ured %or Generic Routin$

Encapsulation 'GRE( is also acti#e 'up(.Clients connected to router one '-( can tunnel throu$h 'tunnel 4(

the ISPBs network to router two '/(.Hence the tunnel connecti#it! etween router one '-( and router two

'/( can e estalished throu$h the tunnel inter%aces.


7/16


+ - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.

2i$ure 6: Inter%ace Con%i$uration &perations '*uthors(

$ 84%8I&3 R;8I&3 C&FI3;RA8I&% & I%% R;84R%

The command Dshow ip routeB was issued on ISP - router and the output shown in %i$ure 7. ISP - router

has the ao#e con%i$uration in its routin$ tale, pulic Internet Protocol 'IP( /44.--.//.4 is directl!

connected 'C( to inter%ace serial 4?4. Internet Protocol /44.-./.4 is also directl! connected to %astethernet

4?4 inter%ace. This directl! connected inter%ace indicate the interconnecti#it! etween the client router

and the ISPBs network. Routin$ In%ormation Protocol 'R( ad#ertises the /44.-./.4 network throu$h the

serial 4?4 inter%ace with administrati#e distance o% -/4 and a metric #alue o% - '-/4?-($

Fi.ure D Routin. Confi.uration 8estin. (Authors )

Routin. Confi.uration peration n I% 8/o (2)

The command Dshow ip routeB was issued on ISP / router and the output shown in %i$ure 8. ISP two '/(

router has the ao#e con%i$uration in its routin$ tale, pulic Internet Protocol 'IP( /44.--.//.4 is

directl! connected 'C( to inter%ace serial -?4. Internet Protocol /44.-./.4 is also directl! connected to

%astethernet 4?4 inter%ace. This directl! connected inter%aces indicate the interconnecti#it! etween the

client router and the ISPBs network. Routin$ In%ormation Protocol 'R( ad#ertises the /44.-./.4 network

throu$h the serial 4?4 inter%ace with administrati#e distance o% -/4 and a metric #alue o% - '-/4?-(.


8/16



2i$ure 8 : Routin$ Con%i$uration Testin$ '*uthors(

I$ R4%;E8% A&9 A&AEG%I%

*n HTTP reer

'wireshark(

Fi.ure 10D Captured ac6ets ver %imulated I% &et/or6 (Authors)

2i$ure -- also depicts a sample TCP session captured packet which depicts the raw con#ersation

etween the laptop and the we ser#er o#er the tunnel network. ireshark was used to capture and

displa! the Transmission Control Protocol 'TCP( session stream. The TCP session stream option on

wireshark enales packets to e displa!ed in a stream window as shown in %i$ure --.The streamwindow displa!s all packets con#ersation etween two end points . Samples o% all e pro$rammin$

lan$ua$es such as HTF= and PHP are all sent in clear te)t o#er the

Tunnel network.


9/16


< - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.

Fi.ure 11D Ra/ 8C Conversation on a %imulated 3R4"V& tunnel (Authors)

2i$ure -/ illustrate the 'H!perte)t Transmission Protocol 'HTTP( packets transmitted o#er the GREVPN

tunnel o#er the ISP network. *ll packets sent were ale to reach the destination tunnel, there were no

packet loss durin$ the transmission o#er the simulated tunnel network. Packet loss and s!stem time outwere not recorded in the simulated network. *ll HTTP packet sent were deli#ered and processed ! the

we ser#er.

Fi.ure 12D Hireshar6 88ac6et Counter Eifetime ver 3R4"V& 8unnel(authors)

II$

C&CE;%I&

The notion that Generic Routin$ Encapsulation 'GRE( onl! pro#ides asic plainte)t authentication usin$

the tunnel ke!, which is not secure, and tunnel source and destination addresses does not impl! that


10/16



11/16



12/16



13/16


ation or ni#ersit!: ;*FE N;RF*H NIV. &2 SCIENCE *N" TECHN&=&GM

"etailed Post *ddress 'Important(: here Mou want a certi%icate.

;*FE N;RF*H NIV. &2 SCIENCE *N" TECHN&=&GM, "EPT. &2 C&FPTER SCIENCE, ;F*SI, GH*N*

Cit! and State:;F*S

Countr!: GH*N* Postcode: NIV. P.&

Telephone:44/00 /45-757-0 2a):

Foile 'Important(:

Email: mickasstO!ahoo.com

Si$n o% *uthors:


14/16


4"mail)

Please complete and si$n this %orm and send it ack to us with the %inal #ersion o% !our manuscript. It is

re


15/16



16/16


performance analysis on the security of generic routing encapsulation (gre) over isp's network

Documents