As a network professional, you’ll work with many specialized and diverse protocols. In this video, you’ll learn about ICMP, GRE, VPNs, and IPsec.
In this course so far, we’ve talked about two main types of protocols that you commonly see running inside of IP. It would usually be TCP or UDP. But there are other protocols that we might fit within IP. One of these other protocols is ICMP, or the Internet Control Message Protocol.
You can think of this as a way that devices can use to send messages between each other. This is not used for transferring data from one part of the network to the other, but more commonly used for management and control of devices across the network.
For example, you might use the ping command on your computer to see if another device may be active on the network, and you would refer to that device by IP address. When you send this ping to the other device, you’re really sending an ICMP packet, and you’re receiving an ICMP packet in response. You might also see messages appear on your screen when things go wrong.
For example, if you’re trying to reach a network that is no longer reachable, you may see a message appear on your screen saying that that network is inaccessible and that message was created because of ICMP. Or perhaps, there is a loop on the network and your packet was dropped by a router because of that loop. A message is usually sent back to your workstation that tells you that the time to live has expired. And that message was sent using the Internet Control Message Protocol.
One common way to communicate, either between sites or between devices, is to create a tunnel between those devices and send all of our data inside of that tunnel. One common way to create this tunnel is to use GRE, or the Generic Routing Encapsulation protocol.
GRE allows us to encapsulate other types of data within an IP packet and send that information to a remote site. When you use GRE, it appears that the two devices communicating appear to be directly connected. But GRE doesn’t include any special kind of encryption or security, so we need to add additional protocols inside of GRE to be able to provide that security.
One common way to encrypt data over these tunnels is to use VPNs, or Virtual Private Networks. This allows us to take information that would normally be available for anyone to see and send it over a private encrypted communication. To do this, we commonly need a VPN concentrator. This is a device that is going to encrypt and decrypt the data that we’re sending over this encrypted tunnel, and it’s very commonly integrated into firewalls.
There are also standalone and software based devices that can perform this functionality without using a full-blown firewall. Sometimes this is purely software based. And you can configure client and server software on both ends that are able to send information over this virtual private network.
One common VPN protocol is IPSec, or Internet Protocol Security. This provides encryption and security of data running across an IP network at OSI layer 3. IPSec includes confidentiality. That’s where the encryption comes in. And it also includes integrity and anti-replay, so that you have a way to ensure that no one is trying to resend information through this encrypted tunnel.
This is also a very common way to communicate over a VPN, and many firewalls, operating systems, and other devices can be configured to communicate amongst each other using these standard IPSec protocols.
You’ll commonly see two types of protocols being used by IPSec. One of them is the Authentication Header, or AH. And the other is Encapsulation Security Payload, or ESP. There are a number of different ways to send data across an IPSec network. Let’s take the example of having an IP header with some data inside of it that we would like to send over IPSec.
One way to do this is to take the original IP header and include that in what we call transport mode. Inside of this original IP header, we would have an IPSec header and then the data that we would commonly encrypt to be able to send across the network. Obviously, the original IP header is the one that we are using in transport mode, and that may not be enough security for many people.
To add additional security, we may want to use tunnel mode. With tunnel mode, we’re taking the original IP header and the original data, encrypting that data, and putting it inside of an IPSec header and IPSec trailer. We’re then adding a separate, brand new IP header to the beginning of this, so that anyone looking at this data would have no idea where the original data was really originating from or where it’s going to.
To ensure that everything being sent across the network is being received without any changes, we need to add an authentication header to the IPSec communication. This authentication header includes a hash of everything that’s included in the packet, along with a shared key that is used by both sides of the communication. Very commonly, you would see this added right to the packet header, so that you would have your IPSec header at the beginning, your authentication header, and then the original IP header, and data.
This authentication header authenticates the entire packet that’s sent to the destination device. And when it’s received, that authentication header is examined again, and the destination device can perform exactly the same hash to ensure that the packet that it has received is identical to the packet that was sent.
Of course, we want to be sure that the information we’re sending across the network is encrypted. And we’re able to do that by using the Encapsulation Security Payload, or ESP protocol. There are a number of different mechanisms to be able to provide this encryption, and you can usually configure the method you’d like to use on your IPSec concentrator.
This will provide encryption of your IP header, your data, and the ESP trailer. And it will authenticate everything being sent between the ESP header, all the way through to the ESP trailer. This also, in the case of this tunnel mode, adds the new IP header in the front, and there is an integrity check value on the end to ensure that the packet is received properly on the other side.
Let’s now combine both the authentication header and the encapsulation security payload, and if we were to send that with transport mode, where we’re using our original IP header, you would see there was an authentication header, and the encapsulation security payload header, along with the integrity check value at the end. More commonly, you would probably see an IPSec tunnel using tunnel mode, along with the authentication header and the ESP header.
You can see that the new IP header, the AH header, and the ESP header are added to the beginning of the packet. We would have our encrypted, original IP header, and encrypted, original data inside of that, and then, at the end, we’d have an ESP trailer. You can see that from the IP header to the ESP trailer is all encrypted, and then the entire packet, from the very beginning to the very end, is authenticated using that combination of authentication header and encapsulation security payload.