We rely on many different protocols to manage and connect our network devices. In this video, you’ll learn about ICMP, GRE, and IPsec protocols.
There will be many times as a network professional when you’d like to know if a device is on the network and operating. And one protocol that can provide you with that is ICMP. This is the Internet Control Message Protocol. You can think of this as a way to check in with that device, very similar to sending a text message to see if you get a response back from someone. ICMP is another protocol carried by IP, but it doesn’t use TCP or UDP. Instead, ICMP is its own protocol.
Although ICMP can be used for a number of administrative tasks, it’s most commonly associated with a way to send a message to a device to see if it’s alive and operating on the network and see if you can get a response back from that device. Whenever you use the ping command to ping an IP address on the network, it’s using ICMP to provide that ping functionality.
But ICMP can also provide you with information about other things that may be happening on the network. For example, if you’re trying to access a network that is not accessible from your location, ICMP will give you a message that that network is not reachable, or ICMP can tell you that the time to live that’s inside of data that you’ve sent has expired and it’s received an ICMP time exceeded message from that device.
Another common protocol on our network is GRE, or the Generic Routing Encapsulation protocol. If you’re creating a tunnel between two endpoints, this is commonly done with VPNs for example, you’re creating this tunnel using GRE. This allows us to encapsulate information within an IP packet, send it across this GRE tunnel, and decapsulate it on the other side. This does not, however, provide encryption of this data. We’ll need to provide additional VPN protocols to encrypt the data that we are encapsulating in a GRE tunnel.
These VPN protocols are referred to as Virtual Private Network protocols, and it’s very common to use these VPN protocols to encrypt or protect any data being sent across one of those tunnels. It’s often common to use a purpose-built appliance to provide this encryption and decryption process at the central point. We refer to this as a VPN concentrator. Sometimes this is a standalone unit, but it’s very often integrated into an existing firewall that’s connected to the network.
These concentrators are often hardware devices with specialized encryption hardware built into the device to add efficiency and throughput. But if you have a limited number of users, it’s also possible to use your VPN concentrator as software in an operating system. This is a common site-to-site VPN configuration where a corporate network may be connected to a remote site over a public network such as the internet.
We’ll have VPN concentrators, which are usually firewalls or routers. Those are connecting these two sites together over the internet. But all of this traffic that’s being sent across that public internet is being encrypted using this VPN technology.
One of the popular protocols used to provide that level of encryption over those tunnels is IPSec. This stands for Internet Protocol Security, and it’s one of the most popular ways to encrypt data being sent across these VPNs. Not only does IPSec provide encryption for confidentiality, it can also provide digital signatures of every packet, which includes integrity and anti-replay functionality.
This is also a very common protocol, and it can be used across many different manufacturers’ devices. For example, you might have a firewall from one manufacturer on one side of a VPN tunnel and a firewall from a completely different manufacturer on the other side of the VPN tunnel. Because IPSec is such a standard protocol, those two firewalls can easily connect to each other and transfer information over that IPSec tunnel.
When you’re using IPSec there are commonly two primary protocols that are in use. One is the Authentication Header, or AH, and the other is the Encapsulation Security Payload, or ESP.
In order for IPSec to be able to send this encrypted data across the network, we first need to create this tunnel. And we do this by performing a series of steps prior to sending any data. Those steps are referred to as the Internet Key Exchange, or IKE. Internet key exchange allows both sides of the conversation to agree on the encryption and decryption keys that will be used for the duration of that VPN tunnel. We refer to this agreement as a Security Association, or an SA.
There are two phases to this key exchange process. The first phase commonly uses Diffie-Hellman to create a shared secret key for both sides of the conversation. This usually operates using UDP port 500, and we refer to this as ISAKMP. This is the Internet Security Association and Key Management Protocol.
In phase two, we coordinate which ciphers should be used for the encryption and the key sizes that would be appropriate, and it negotiates both the inbound and outbound security association to be used for this IPSec tunnel.
So visually with phase one, we’re building the ISAKMP tunnel over UDP port 500. In phase two, we’re including the encrypted data over the Encapsulation Security Payload, or ESP tunnel. This gives us the foundation we need to be able to send this encrypted data over the IPSec tunnel. If you’re building your own IPSec tunnel, you may be asked whether you’d like to use transport mode or tunnel mode. Both of these work differently and will protect data in different ways.
Let’s take the original packet, which includes an IP header, and some data within that IP packet. We would like to send that over an IPSec tunnel. If we use transport mode to send this IPSec data, we’re going to insert an IPSec header between the IP header and the data. All of that is going to be in the clear. Anything within the data portion of that IP packet will be encrypted and then the IPSec trailers put at the end of the packet.
Notice that the original IP header is not encrypted when using transport mode. And if someone does capture this data, they’ll be able to see the original IP header and be able to understand where this traffic is intended to go even if they can’t see the encrypted data within the packet. A much more secure method of using an IPSec tunnel is tunnel mode. In tunnel mode, the original IP header and data is all encrypted. And even if you capture this data, you’ll never know what the original destination is for this data.
Tunnel mode adds a new IP header, which includes the destination of the IPSec concentrator, and includes the same IPSec headers and IPSec trailers that we saw in transport mode. It’s probably not too surprising that most implementations of IPSec are going to use the tunnel mode to ensure the highest level of encryption of your original data.
Earlier, we mentioned the two protocols that you commonly see associated with IPSec One of those protocols is the Authentication Header, or AH. AH is used to validate the information that you’re receiving over an IPSec tunnel. And if you’re only using authentication header mode, you’re sending all of this information over the network in the clear, but you’re including some additional hashing to ensure the integrity of this data.
However, in most cases, we want to be able to encrypt the data that we’re sending over the IPSec tunnel. And for that reason, we’ll use Encapsulation Security Payload, or ESP. This protocol is going to encrypt that original data and encrypt the trailer that we’re associating with the ESP and then put around this packet a new IP header and ESP header and an integrity check value at the end of the packet.
This is going to encrypt all of your original data but also provide the authentication that you need to ensure that the data is received properly on the other side.