7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
1/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
1 - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
erformance Analsis on the %ecurit of 3eneric Routin.
4ncapsulation (3R4) V4R I%5% &et/or6%eth Alorno1and 7ichael Asante2
1
I$C$8 9irectorate, :oforidua oltechnic2Computer %cience 9epartment, :&;%8, :umasi1!i.seth10
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
2/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
2 - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
customers who are not concerned aout the internal tunnelin$ architecture at the ISP end. Customers
then ha#e the %le)iilit! to con%i$ure or recon%i$ure their IP architecture ut still maintain connecti#it!. It
creates a #irtual point+to+point link to routers at remote points o#er an IP internetwork-,/.
II$ 34&4RIC R;8I&3 4&CA%;EA8I&
Generic routin$ encapsulation 'GRE( is a tunnelin$ protocol de%ined in R2C -34/ and R2C /351. It was
ori$inall! de#eloped ! Cisco S!stems %or creatin$ a #irtual point+to+point link to Cisco routers at remote
points o#er an IP internetwork 6, 7, 3. GRE supports multiprotocol tunnelin$. It can encapsulate
multiple protocol packet t!pes inside an IP tunnel. *ddin$ an additional GRE header etween the pa!load
and the tunnelin$ IP header pro#ides the multiprotocol %unctionalit!. IP tunnelin$ usin$ GRE enales
network e)pansion ! connectin$ multiprotocol su+networks across a sin$le+protocol ackone
en#ironment. GRE also supports IP multicast tunnelin$. Routin$ protocols that are used across the tunnel
enale d!namic e)chan$e o% routin$ in%ormation in the #irtual network 5 8.
III$
>A%IC 3R4 I 4A94R CARAC84RI%8IC
2i$ure - depicts the %ormat o% a GRE header in a network packet tra#ersin$ o#er a network. The GRE
header is encapsulated in a pa!load %ound in etween the source and destination IP header. These
pa!loads do not add an! securit! protocol in the IP header hence renders the GRE packet not a secured
medium %or communication 8, -4.
3R4 fla.sDThe GRE %la$s are encoded in the %irst two octets. 9it 4 is the most si$ni%icant it, and it -6 is
the least si$ni%icant it. Some o% the GRE %la$s include the %ollowin$:
Chec6sum resent (!it 0)DI% the Checksum Present it is set to -, the optional checksum %ield is
present in the GRE header.
:e resent (!it 2)DI% the ;e! Present it is set to -, the optional ;e! %ield is present in the GRE
header.
%eBuence &um!er resent (!it ')DI% the Se
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
3/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
' - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
e)tended GRE headers also do not pro#ide the securit! needed to secure data transmission -/, -0,
-1.
8unnel chec6sumD The tunnel checksum detects packet corruption. This option is not used o%ten
ecause checksums are used on other la!ers in the protocol stack, t!picall! to ensure the accurac! o% the
GRE packets.
8unnel 6eDCan e used %or two purposes:
The tunnel ke! can e used %or asic plainte)t authentication o% packets in which onl! the two GRE
endpoints share a secret numer that enales the tunnel to operate properl!. Howe#er, an!one in the
packet path can easil! see the ke! and e ale to spoo% tunnel packets. * more common use o% the tunnel
ke! is when two routers want to estalish parallel tunnels sourced %rom the same IP address. The tunnel
ke! is then used to distin$uish etween GRE packets elon$in$ to di%%erent tunnels.
8unnel seBuence num!erD This numer is used to ensure that GRE packets are accepted onl! i% the
packets arri#e in the correct order. The main %unction o% GRE is to pro#ide power%ul !et simple tunnelin$.
GRE supports an! &SI =a!er 0 protocol as pa!load, %or which it pro#ides #irtual point+to+point
connecti#it!. GRE also allows the use o% routin$ protocols across the tunnel --, -/, -0,
-6,-7,-3.The main limitation o% GRE is that it lacks an! securit! %unctionalit!. GRE onl! pro#ides
asic plainte)t authentication usin$ the tunnel ke!, which is not secure, and tunnel source and
destination addresses.
Fi.ure 2D 4@tended 3R4 header (Adapted from Cisco %stems, 2010)
V$ 7489E3G
The method adopted in this work is the structural desi$n and the simulation o% GRE tunnel network.GNS0
so%tware was used to simulate the network with Cisco routers runnin$ ori$inal Internetwork &peratin$
S!stem 'I&S(. Network de#ice con%i$uration and penetration testin$ can e estalished when usin$ GNS0.
Routers used in the simulation are Cisco routers. Comparati#e anal!sis and penetration testin$ was done
to check the securit! le#el o% a GRE tunnels. &pen source Network Protocol *nal!>er 'wireshark( '&pen
source Network Protocol *nal!>er -7 was used to capture tra%%ic tra#ersin$ o#er the Ser#ice Pro#ider
network %or %urther anal!sis and interpretation.
%imulated Virtual Ea!
In the simulated #irtual la, a site+to+site GRE tunnel VPN was con%i$ured with Cisco routers runnin$ I&S
'Internetwork &peratin$ S!stem( #ersion -/.1. &nce con%i$ured, the VPN tra%%ic etween Router - on
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
4/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
- 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
inter%aces Router - and Router / was captured usin$ wireshark %or %urther processin$ and anal!sis. Each
o% the simulated networks connects to an Internet Ser#ice Pro#ider 'ISP(.The Internet Ser#ice Pro#ider
onl! pro#ides internet suscription to the client 'institution(.The simulated network will pro#ide
institutional connecti#it! to remote sites o#er the internet. * stud! into Ser#ice Pro#iders network
architectural desi$n outline certain con%i$uration parameters which allows internet suscription %rom
client and other IP ser#ices hosted ! the Ser#ice Pro#ider. This paper has simulated those architectural
desi$ns o% Ser#ice Pro#iders to allow connecti#it! to client.
2i$ure 0 illustrates the topolo$ical simulated network used to desi$n the network in%rastructure. The ISP
has two routers 'ISP- and ISP /(.ISP - connects router - and ISP / connects router /. Router - and / are
considered as the ed$e routers and a client to the ISP. The ISP has a serial connection %rom ISP - to
ISP/.ISP - connects its ed$e router throu$h a %astethernet 4?4 inter%ace and ISP/ connects its ed$e
router throu$h a %astethernet 4?4 inter%ace. The ISP pro#ides onl! internet access to router - and /'ed$e
de#ices(. * #irtual cloud adaptor %rom %i$ure 1 was used to #irtuali>ed the ph!sical inter%ace o% a laptop
network adaptor to a =oopack adaptor inter%ace. This #irtuali>ation enaled a laptop adaptor to e part
o% the simulated network.
Fi.ure 'D %imulated 3R4 tunnel net/or6 (Authors)
VI$ C&FI3;RA8I& F 84 &48HR: I&84RFAC4 A99R4%%4% (%84 &4)
* loopack and a tunnel inter%ace was con%i$ured on router - and router / %astethernet and the serial
inter%aces. 2astethernet 4?4 on router - was con%i$ured with the IP address /44.-.-.- and a sunet
mask /66./66./66.4.The IP address con%i$ured on %astethernet 4?4 is the out ound inter%ace connected
to the ser#ice pro#ider 'ISP-( %or internet access. =oopack inter%ace 4 was con%i$ured with the IPaddress -.-.-.- and a sunet mask /66./66./66.4.The loopack inter%ace represent all internal hosts
connected to router -. Router / was also con%i$ured with the same parameters. The loopack inter%ace
was assi$ned the IP /./././ and a sunet mask /66./66./66.4.2astethernet 4?4 connects to Internet
Ser#ice Pro#ider 'ISP/( %or internet access. 2astethernet 4?4 was assi$ned the IP /44.-././ and a sunet
mask /66./66./66.4.* @no shutdownA command was issued on each o% the con%i$ured inter%ace to
acti#ate the inter%aces.
* tunnel inter%ace 'tunnel 4( on router - and router / which will e was to transport GRE packets %rom
router - and router / which was con%i$ured with the IP -/.-/.-/.- and -/.-/.-/./ respecti#el!. Tunnel 4
was #irtuali>ed with the ph!sical inter%ace %astethernet 4?4 to transport packets %low throu$h theph!sical inter%ace connected to the Internet Ser#ice Pro#ider 'ISP(. The command @tunnel source
/4.-.-.- and a tunnel destination /44.-././A was issued on oth routers to connect the tunnel 'tunnel 4(
inter%ace to the ph!sical inter%ace to transport packets to the ISP. Con%i$ured tunnel 4 on router - and
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
5/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
# - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
router two '/( will e the transport medium to %orward all VPN tra%%ic throu$h the ISPBs network.ISP
'Internet Ser#ice Pro#ider( network as shown in %i$ure -1 was simulated with two routers, ISP- and
ISP/. ISP - has two inter%aces, inter%ace %astethernet 4?4 and inter%ace serial -?4.Inter%ace %astethernet
4?4 connects router - and inter%ace serial -?4 connects ISP /. 2astethernet 4?4 was con%i$ured on ISP -
router with the IP address /44.-.-./ and a sunet mask /66./66./66.4,inter%ace serial 4?4 also
con%i$ured with the IP address /44.--.//.- with sunet mask /66./66./66./6.Each con%i$ured inter%aces
were issued with the command @no shut downA to acti#ate the inter%aces.ISP/ router has two inter%aces,
inter%ace %astethernet 4?4 and inter%ace serial -?4.Inter%ace %astethernet 4?4 connects router - and serial
-?4 connects ISP/ serial inter%ace -?4. Inter%ace %astethernet 4?4 was con%i$ured with the IP address
/44.-.-.- with a sunet mask /66./66./66.4 and inter%ace serial -?4 with an IP address /44.--.//./
sunet /66./66./6/.* @no shut down commandA was issued on each inter%aces to acti#ate the inter%ace.
VII$ C&FI3;RA8I& F R;8I&3 R8CE & CEI4&8 R;84R%(%842)
In order to maintain connecti#it! etween remote networks, EIGRP was con%i$ured to route packets
etween all networks in the dia$ram. *ll connected sunets were added into the EIGRP autonomous
s!stem on e#er! router. The command:
Router ei$rp -
Network -4.4.4.4
Network -/.4.4.4
Network -8/.-75.4.4
The command @router ei$rp -A enales and acti#ates Enhanced Interior Gatewa! Routin$ Protocol
'ElGRP( under one '-( *utonomous S!stem on router one '-(, the command network
-4.4.4.4,-/.4.4.4.-8/.-75.4.4 ad#ertises the network which is directl! connected to router -, to the ISP
one '-( network.The command @router ei$rp-
Network -/.4.4.4
Network /.4.4.4
Network -8/.-75.4.4
The command @router ei$rp -A enales and acti#ates Enhances Interior Gatewa! Routin$ Protocol under
one '-( *utonomous S!stem on router /, the command network -/.4.4.4, /.4.4.4 , -8/.-75.4.4 ad#ertises
the network which is directl! connected to router /, to the ISP/ network. Con%i$urin$ autonomous
s!stem enales ei$rp to e under one administrati#e control.
VIII$ C&FI3;RI&3 R;8I&3 R8CE & I% R;84R%(%84')
The simulated network has two routers which estalish connecti#it! to oth clients 'router - and router
/(. Routin$ In%ormation Protocol #ersion / 'RIP,#/( was con%i$ured on the ISPBs routers. This enales the
ISP router recei#es network ad#ertisement %rom router - and router / network.ISP- router has two main
inter%aces, inter%ace %astethernet 4?4 and inter%ace serial 4?-.Inter%ace %astethernet 4?4 is directl!
connected to router -and inter%ace serial 4?- connected to ISP/ network. ISP - router was con%i$ured
with the command
Router rip #ersion /
Network /44.-.-.4
Network /44.--.//.4
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
6/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
- 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
ISP / router has two main inter%aces, inter%ace %astethernet4?4 and serial 4?-.Inter%ace %astethernet 4?4
is connects router / and inter%ace serial 4?- connects to ISP / network. ISP / router was con%i$ured with
the command
Router rip #ersion /
Network /44.-./.4
Network /44.--.//.4
Networks ad#ertised on ISPBs router are networks which are connected to inter%ace %astethernet 4?4 to
router - and inter%ace serial 4?4 to ISP/ inter%ace. Networks ad#ertised on ISP/ router are networks
which connected to inter%ace %astethernet 4?4 to router / and inter%ace serial 4?4 to ISP-.
* pin$ command was issued %rom router - to the #arious con%i$ured inter%ace to #eri%! that connecti#it!
across local sunets usin$ the pin$ command was reachale. *ll pin$ commands sent were all success%ul.
Step one '-( to step three '0( are the processes used to simulate the GRE tunnel %rom router - throu$h
the ISPBs network to router /.
I$ &48HR: I&84RFAC4 794%(I&84RFAC4 4RA8I& & R;84R &4)
The command Dshow ip inter%ace rie%B was issued on router one '-( and the output shown in %i$ure 1
was otained. 2astethernet 4?4 with an IP address /44.-.-.- connects to the ISP one '-( network which
shows that the interconnecti#it! etween the client router and the ser#ice pro#ider is acti#e 'up( whiles
the protocol supportin$ the inter%ace is also acti#e 'up(.Inter%ace tunnel 4 con%i$ured %or Generic Routin$
Encapsulation 'GRE( is also acti#e 'up(.
2i$ure 1: Inter%ace Con%i$uration &peration '*uthors(
Interface Confi.uration peration n Router 8/o (2)
The command Dshow ip inter%ace rie%B was issued on router two 'R/( and the output shown in %i$ure 6.
2astethernet 4?4 with an IP address /44.-.-./ connects to the ISP two 'ISP /( network which shows that
the interconnecti#it! etween the client router and the ser#ice pro#ider is acti#e 'up( whiles the protocol
supportin$ the inter%ace is also acti#e 'up(.Inter%ace tunnel 4 con%i$ured %or Generic Routin$
Encapsulation 'GRE( is also acti#e 'up(.Clients connected to router one '-( can tunnel throu$h 'tunnel 4(
the ISPBs network to router two '/(.Hence the tunnel connecti#it! etween router one '-( and router two
'/( can e estalished throu$h the tunnel inter%aces.
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
7/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
+ - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
2i$ure 6: Inter%ace Con%i$uration &perations '*uthors(
$ 84%8I&3 R;8I&3 C&FI3;RA8I&% & I%% R;84R%
The command Dshow ip routeB was issued on ISP - router and the output shown in %i$ure 7. ISP - router
has the ao#e con%i$uration in its routin$ tale, pulic Internet Protocol 'IP( /44.--.//.4 is directl!
connected 'C( to inter%ace serial 4?4. Internet Protocol /44.-./.4 is also directl! connected to %astethernet
4?4 inter%ace. This directl! connected inter%ace indicate the interconnecti#it! etween the client router
and the ISPBs network. Routin$ In%ormation Protocol 'R( ad#ertises the /44.-./.4 network throu$h the
serial 4?4 inter%ace with administrati#e distance o% -/4 and a metric #alue o% - '-/4?-($
Fi.ure D Routin. Confi.uration 8estin. (Authors )
Routin. Confi.uration peration n I% 8/o (2)
The command Dshow ip routeB was issued on ISP / router and the output shown in %i$ure 8. ISP two '/(
router has the ao#e con%i$uration in its routin$ tale, pulic Internet Protocol 'IP( /44.--.//.4 is
directl! connected 'C( to inter%ace serial -?4. Internet Protocol /44.-./.4 is also directl! connected to
%astethernet 4?4 inter%ace. This directl! connected inter%aces indicate the interconnecti#it! etween the
client router and the ISPBs network. Routin$ In%ormation Protocol 'R( ad#ertises the /44.-./.4 network
throu$h the serial 4?4 inter%ace with administrati#e distance o% -/4 and a metric #alue o% - '-/4?-(.
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
8/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
- 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
2i$ure 8 : Routin$ Con%i$uration Testin$ '*uthors(
I$ R4%;E8% A&9 A&AEG%I%
*n HTTP reer
'wireshark(
Fi.ure 10D Captured ac6ets ver %imulated I% &et/or6 (Authors)
2i$ure -- also depicts a sample TCP session captured packet which depicts the raw con#ersation
etween the laptop and the we ser#er o#er the tunnel network. ireshark was used to capture and
displa! the Transmission Control Protocol 'TCP( session stream. The TCP session stream option on
wireshark enales packets to e displa!ed in a stream window as shown in %i$ure --.The streamwindow displa!s all packets con#ersation etween two end points . Samples o% all e pro$rammin$
lan$ua$es such as HTF= and PHP are all sent in clear te)t o#er the
Tunnel network.
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
9/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
< - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
Fi.ure 11D Ra/ 8C Conversation on a %imulated 3R4"V& tunnel (Authors)
2i$ure -/ illustrate the 'H!perte)t Transmission Protocol 'HTTP( packets transmitted o#er the GREVPN
tunnel o#er the ISP network. *ll packets sent were ale to reach the destination tunnel, there were no
packet loss durin$ the transmission o#er the simulated tunnel network. Packet loss and s!stem time outwere not recorded in the simulated network. *ll HTTP packet sent were deli#ered and processed ! the
we ser#er.
Fi.ure 12D Hireshar6 88ac6et Counter Eifetime ver 3R4"V& 8unnel(authors)
II$
C&CE;%I&
The notion that Generic Routin$ Encapsulation 'GRE( onl! pro#ides asic plainte)t authentication usin$
the tunnel ke!, which is not secure, and tunnel source and destination addresses does not impl! that
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
10/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
11/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
12/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
13/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
ation or ni#ersit!: ;*FE N;RF*H NIV. &2 SCIENCE *N" TECHN&=&GM
"etailed Post *ddress 'Important(: here Mou want a certi%icate.
;*FE N;RF*H NIV. &2 SCIENCE *N" TECHN&=&GM, "EPT. &2 C&FPTER SCIENCE, ;F*SI, GH*N*
Cit! and State:;F*S
Countr!: GH*N* Postcode: NIV. P.&
Telephone:44/00 /45-757-0 2a):
Foile 'Important(:
Email: mickasstO!ahoo.com
Si$n o% *uthors:
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
14/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
4"mail)
Please complete and si$n this %orm and send it ack to us with the %inal #ersion o% !our manuscript. It is
re
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
15/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
16/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+