Tunneling is a way in which data is transferred between two networks securely. All the data being transferred is fragmented into smaller packets or frames and then passed through the tunnel. This process is different from a normal data transfer between nodes. Every frame passing through the tunnel will be encrypted with an additional layer of tunneling encryption and encapsulation, which is also used for routing the packets to the right direction. This encapsulation would then be reverted at the destination with decryption of data, which is later sent to the desired destined node.
A tunnel is a logical path between the source and the destination endpoints between two networks. Every packet is encapsulated at the source and de-capsulated at the destination. This process will keep happening as long as the logical tunnel is persistent between the two endpoints.
Tunneling Protocols
The Windows Server 2003 family supports the following tunneling protocols for secure communication:
- Point-to-Point Tunneling Protocol (PPTP)
- PPTP employs user-level PPP authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption.
- PPTP uses TCP1723 and Protocol 47 (GRE).
- PPTP uses only NTLM authentication.
- PPTP provides 56 bit or 128 bit Microsoft Point-to-Point Encryption (MPPE).
- Layer Two Tunneling Protocol (L2TP)
- L2TP is an industry standard Internet tunneling protocol with roughly the same functionality as the Point-to-Point Tunneling Protocol (PPTP). Based on the Layer Two Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP) specifications, L2TP can be used to set up tunnels across intervening networks. Like PPTP, L2TP encapsulates Point-to-Point Protocol (PPP) frames, which then encapsulate IP or IPX protocols, allowing users to remotely run programs that are dependent on specific network protocols.
- L2TP uses the UDP 1701.
- L2TP does not provide any encryption by itself.
- L2TP with Internet Protocol security (L2TP/IPSec)
- L2TP/IPSec employs user-level PPP authentication methods over a connection that is encrypted with IPSec. IPSec requires host authentication using either the Kerberos protocol, shared secret, or computer level certificates.
- L2TP with IPSec uses UDP 500 = ISAKMP, Protocol 50 = Encapsulated Security Payload (ESP) and possibly Protocol 51 = Authentication Header (AH).
- L2TP/IPSec uses both Mutual authentication and NTLM authentication.
- IPSec provides DES (56 bit) and 3DES (168 bit) encryption.
How Tunneling Works
There are two types of VPN connections, PPTP (Point-to-Point tunneling protocol) and L2TP (Layer 2 tunneling protocol). Both PPTP and L2TP tunnels are nothing but local sessions between two different endpoints. In case they have to communicate, the tunneling type must be negotiated between the endpoint, either PPTP or L2TP, then more configurable parameters like encryption, address assignment, compression, etc. must be configured in order to get the best possible security over the Internet based private logical tunnel communication. This communication is created, maintained, and terminated with a tunnel management protocol.
Data can be sent once the tunnel is in place and clients or the server can use the same tunnel to send and receive data across the internetwork. The data transfer depends upon the tunneling protocols being used for the transfer. For example, whenever the client wants to send data or payload (the packets containing data) to the tunneling server, the tunnel server adds a header to each packet. This header packet contains the routing information that informs the packet about the destination across the internetwork communication. Once the payload is received at the destination, the header information is verified. After, the destination tunnel server sends the packet to the destined node, client, or server.
Point-to-Point Protocol (PPP)
It is very obvious that the PPTP and L2TP protocols are fully dependent upon PPP connection and it is very much important to understand and examine PPP a little more closely. Initially, PPP was designed to work with only dial-up connections or dedicated connections. If the data transfer is happening over PPP connection, then the packets going over PPP are encapsulated within PPP frames and then sent across or transmitted over to the destination dial-up or PPP server.
There are four distinct phases of negotiation in a PPP connection. Each of these four phases must complete successfully before the PPP connection is ready to transfer user data.
- Phase 1: PPP Link Establishment First step is where PPP uses the LCP or Link Control Protocol to connect to the destination network. Apart from establishing the connection, LCP is also responsible for maintaining and terminating the connection. For example, during this phase 1, LCP connects to the destination and prepares the authentication protocol which will be used in phase 2. Next step would be to negotiate and find out if these two nodes in a PPP connection would agree on any compression or encryption algorithm. If the answer is yes then the same is implemented in Phase 4.
- Phase 2: A User Authentication Second step is where the user credentials are sent to the remote destination for authentication. There are different secure authentication programs. The secure authentication method must be used to safeguard the user credentials. If using PAP (password Authentication Protocol) for authorizing user credential, the user information is passed in plain clear text that can be captured easily. This is the only time that the user must take utmost care in handling his/her credential from any theft. If for any reason an intruder captures these credentials, once the user connection is authenticated, the intruder will trap the communication, disconnect the original user, and take control of the connection.
- Phase 3: PPP Callback Control The Microsoft implementation of PPP includes an optional callback control phase. This phase uses the Callback Control Protocol (CBCP) immediately after the authentication phase. If configured for callback, both the remote client and NAS disconnect after authentication. The NAS then calls the remote client back at a specified phone number. This provides an additional level of security to dial-up connections. The NAS allows connections from remote clients physically residing at specific phone numbers only. Callback is only used for dial-up connections, not for VPN connections.
- Phase 4: Invoking Network Layer Protocol(s) Once the previous phases have been completed, PPP invokes the various network control protocols (NCPs) that were selected during the link establishment phase (Phase 1) to configure protocols that the remote client uses. For example, during this phase, IPCP is used to assign a dynamic address to the PPP client. In the Microsoft implementation of PPP, the Compression Control Protocol (CCP) is used to negotiate both data compression (using MPPC) and data encryption (using MPPE).
Data Transfer
Once the four phases of PPP negotiation have been completed, PPP begins to forward data to and from the two peers. Each transmitted data packet is wrapped in a PPP header that the receiving system removes. If data compression was selected in phase 1 and negotiated in phase 4, data is compressed before transmission. If data encryption is selected and negotiated, data is encrypted before transmission. If both encryption and compression are negotiated, the data is compressed first then encrypted.
Point-to-Point Tunneling Protocol (PPTP)
PPTP encapsulates PPP frames in IP datagram for transmission over an IP internetwork such as the Internet. PPTP can be used for remote access and router-to-router VPN connections.
PPTP or Point-to-Point tunneling protocol works over TCP ports, which are also used for tunnel management and GRE or Generic Routing Encapsulation protocol to encapsulate any PPP frames that will later be used to send data through the tunnel. Compression or encryption will depend on the tunnel configuration.
Layer Two Tunneling Protocol (L2TP)
Cisco Systems Inc., which used a combination Layer 2 Forwarding (L2F) with PPTP, first proposed L2TP. L2TP can encapsulate the IP frames to be sent over X.25, FR (Frame Relay), and ATM (Asynchronous Transfer Mode) networks. An L2TP based IP tunnel, which uses compression and/or encryption as required to protect the data from intruders, is the safest way to transfer data over the Internet today.
