Tunneling?
I could use a bit of help understanding tunneling. I understand encapsulation and I can see that one would use it to move an un-routable protocol over the Inet (by encapsulating the protocol that the Inet doesn’t understand in a protocol that it does understand, exactly like data traveling up/down the OSI model). For the purpose of this question, let’s assume no encryption and focus on the ‘virtual’ portion. Also, let’s assume you are in an Ethernet environment (that is, I‘m producing data that is properly formatted for traveling and routing over the Inet)
[FONT="]What characteristic of a ‘virtual’ connection separates my virtual connection from the rest of the Internet traffic? Stated differently, how is a virtual connection formed?- Mike
PS: perhaps we could start with a definition of "direct connection" and how does it differ from my current connection to this Forum?
[/FONT]
[FONT="]What characteristic of a ‘virtual’ connection separates my virtual connection from the rest of the Internet traffic? Stated differently, how is a virtual connection formed?- Mike
PS: perhaps we could start with a definition of "direct connection" and how does it differ from my current connection to this Forum?
[/FONT]
Comments
-
4E6564 Member Posts: 32 ■■□□□□□□□□Well take GRE for instance, its header is added on after the original layer 3 header, then there is a new layer 3 header for transporting the packet (IP header in the case of the Internet). The only thing that separates that from normal Internet traffic, is that the original layer3/layer4 headers are not used.
Visually:
Session > Transport > Network > DL
with GRE:
Session > Transport > Network > GRE + Network > DL -
mhorowit Member Posts: 9 ■□□□□□□□□□... The only thing that separates that from normal Internet traffic, is that the original layer3/layer4 headers are not used.
Exactly. So, now you have a packet formed for Ethernet transmission. I'll google around some more, but how does that make it "point-to-point"? - Mike -
4E6564 Member Posts: 32 ■■□□□□□□□□Well it is point to point in the sense that you configure a source IP and destination IP address of the tunnel. The tunnel exists between those points, and can be used in much the same way as any other type of interface. The destination of any traffic that goes in one side of the tunnel only goes out the far side of the tunnel.
For instance:
Router 1
int fa0/1
ip address 1.1.1.1 255.255.255.0
interface tunnel 1
tunnel source fa0/1
tunnel dest 2.2.2.2
ip address 192.168.1.1 255.255.255.0
Router 2
int fa0/1
ip address 2.2.2.2 255.255.255.0
interface tunnel 1
tunnel source fa0/1
tunnel dest 1.1.1.1
ip address 192.168.1.2 255.255.255.0
With this configuration the two routers can be separated by tens of routers on the Internet. The routers can communicate over the tunnel by sending traffic between the 192.168.1.0/24 addresses. -
mhorowit Member Posts: 9 ■□□□□□□□□□I may be restating what you said, but would you take a look at this?
I think if I get a working definition for a ‘virtual circuit’, I’ll understand VPNs. Would you please see if the following makes sense?
First, two definitions: ‘connection-less communications’ and ‘connection-oriented communications’. We typically use ‘connection-less’ communications when we transit the Inet. Our data has been separated into packets and an IP address has been slapped on the front. Each packet can travel independently, so one packet may go from DC to LA via St. Louis and another via Biloxi. They arrive, not necessarily in order, and are reconstructed at the destination. Notice that no ‘pre-arrangement’ was made between the two ends; the data was just sent like a ‘Hail Mary’ pass without any guarantee. The counterpart to ‘connection-less’ is ‘connection-oriented’, which means that there was some arrangement made between the two end points before data is sent. During this ‘pre-arrangement’, agreement was made as to the path that was going to be taken between the two points. This is the ‘virtual circuit’ that forms the basis of a VPN. Note that because you now have your own circuit, you don’t need all the routing information you would have needed in a ‘connection-less’ path. Also, the packets are arriving in the same order they were sent, so they don’t have to be reorganized. This ‘connection-oriented’ connection is also known as ‘tunneling’. It is the protocols (IPSec, L2TP, PPTP) which set up the connection and the follow-on encryption. -
4E6564 Member Posts: 32 ■■□□□□□□□□Well I think understanding the difference between TCP and UDP is necessary before thinking about VPN technology.
TCP = Connection oriented. This protocol starts out with a 3 way handshake. The initiator of the communication sends a Syn packet to the end device, the end device replies back with a Syn/Ack, finally the initiator sends back an Ack. Basically the 2 devices are establishing the parameters they will speak with. These parameters include things like the initial number they will start out with to keep track of communication (each packet sent has a sequence number, in order to know for sure that all data has arrived), a window size (amount of data to send at a time), etc etc. TCP is used for applications that require that all data arrives. For instance, with the Internet... Web traffic (HTTP) uses TCP port 80 to communicate. This is connection oriented traffic, and both hosts are guaranteed to receive all data sent by the far side. If a sequence number is missed that sequence number is sent again.
The flip side to TCP is UDP. UDP is connectionless. This is also known as the unreliable damn protocol (easy to remember that way). UDP has no 3 way handshake, and data is sent with a hail mary of sorts as you described. Not having the sequencing and realiable guarantees of TCP saves a lot of room in the header, thus it can be used to transmit more data in less time than TCP. You might wonder why anything would use UDP.... Well there are very good uses for it. For instance, VoIP uses UDP. VoIP traffic needs to have very low delay (the time that it takes to get to the end system), not using headers is a start in meeting that. Another primary reason UDP is used is because if a little bit of sound did not arrive, or something came out of order, then you wouldn't want to pause your conversation to go back and listen to it.
Beyond that we can have discussions about tunnels and encryption. Encryption in essence hides data. Even with encryption or tunnels individual packets are sent that can go in different ways over the Internet. A tunnel still has individual packets that hide the underlying protocols. Hiding the underlying protocols is necessary for things like sending IPV6 traffic over the IPV4 Internet, or sending encrypted routing protocols over the Internet. Companies often have remote locations, and want to use routing protocols to be able to dynamically know where every IP range is located. Routing protocols (Multicast generally) cannot be directly encrypted by IPSEC. GRE tunnels are used to hide the Multicast packets, and the GRE tunnel is then encrypted.
Regardless if a packet is encrypted or in a tunnel it is transmitted exactly the same way that any other packet is transmitted. The tunnel and encryption are merely ways to hide underlying headers or data. -
Darril Member Posts: 1,588Great explanations 4E6564.
To add a little.
The "virtual" in virtual private network (VPN) is implying that the *privacy* of the network is virtual. "Virtual" has nothing to do with a virtual circuit.
A VPN is used to create a connection to a private network over a public network - typically the Internet. People use it to access resources on their internal network from home or while on the road. It's used as a form a remote access.
Since the data traveling over the Internet is susceptible to sniffing, it must be protected. Tunneling protocols are used to protect the data.
Tunneling protocols are used to encapsulate other protocols. TCP/IP is used on the Internet. Almost all networks also use TCP/IP. The tunneling protocol encapsulates TCP/IP protocols used on the internal network. TCP/IP is also used to transfer the encapsulated data over the network. Tunneling protocols also commonly encrypt the encapsulated data.
The two most commonly used protocols are PPTP and L2TP.
HTH,
Darril Gibson
Author: CompTIA Security+: Get Certified Get Ahead
ISBN-10: 1439236364
Security+ Blog -
mhorowit Member Posts: 9 ■□□□□□□□□□Well I think understanding the difference between TCP and UDP is necessary before thinking about VPN technology.
4E - Absolutely! As soon as I saw that in one case a virtual path was established, the 'virtual' nature became apparent, which was what I was looking for. Everything else is follow-on - Mike -
mhorowit Member Posts: 9 ■□□□□□□□□□Great explanations 4E6564.
To add a little.
The "virtual" in virtual private network (VPN) is implying that the *privacy* of the network is virtual. "Virtual" has nothing to do with a virtual circuit
Darril - I've been appreciative of your postings for the last several months; thanks for your contributions!
I'm speaking with all the authority of someone new to the subject, but until the discussion drifts to encryption, there is no privacy in a tunnel (my understanding of course). You might have 'security by obscurity". For that reason, I would raise a question about your first para. The 'model' I've developed in my mind would define the agreed-upon pathway between the two points as the virtual circuit. It seems to fit my 'model'. That make sense? - Mike -
Darril Member Posts: 1,588Darril - I've been appreciative of your postings for the last several months; thanks for your contributions!
I'm speaking with all the authority of someone new to the subject, but until the discussion drifts to encryption, there is no privacy in a tunnel (my understanding of course). You might have 'security by obscurity".
For that reason, I would raise a question about your first para. The 'model' I've developed in my mind would define the agreed-upon pathway between the two points as the virtual circuit. It seems to fit my 'model'. That make sense? - Mike
Mike,
Sorry, but I'm not sure I understand what your question is.
I have trouble with any definition of a VPN using virtual circuit. I'm not saying it's incorrect, but I can't make it work in my head. When the term "virtual circuit" is used I think of X.25, frame relay, and other non IP-based protocols. That's out of my circle of knowledge.
As far as no real privacy in a tunnel, you're correct. And that's why encryption is used for a VPN. Tunneling protocols can be used in clear text. However a VPN (at least a secure VPN associated with the Security+ exam) uses both a tunneling protocol and encryption.
Darril Gibson
Author: CompTIA Security+: Get Certified Get Ahead
ISBN-10: 1439236364Security+ Blog