VPN_Headers

This first image is a break down of the different types of VPN Packet Type by the headers / trailers (or lack thereof), and the following of your typical IPSec VPN Packet Type:

packet_segments_ipsec

The VPN generic representation of the IPSec VPN Packet above works for a general review, but there are details in the headers that are begging for exam questions and must be broken down and committed to memory if asked about them.

  • AH (Authentication Header) = Security, Data Origin Authentication (also offers anti-reply protection)
  • ESP (Encapsulating Security Payload) = Method of authentication / securing / encrypting the Data payload
  • IKE (Internet Key Exchange) – The protocol to negotiate security parameters and authentications keys to form an SA (Security Association)

Going from top to bottom, lets review each Packet type going down the list above from the top of the page:

  • Generic Frame = Ethernet Header | IP Header | Protocol Header | Payload
  • 1. Ethernet Header = Encapsulates Ethernet Frame
  • 2. IP Header = Source IP Address
  • 3. TCP/UDP Header = Port information, for a quick read on  TCP vs UDP Headers that link is gold for a brief but concise comparison
  • 4. Data / Payload = “Blah blah blah”

Used by GRE, which is mostly mentioned regarding mGRE for DMVPN Functionality, it can also be configured to be encapsulated INSIDE IPSec VPN tunnels because it does not have limitations that IPSec VPN’s have which is as follows:

  • 1. IPSec tunnels can Secure and Encrypt Unicast Information, but not Multicast or Broadcast traffic, which may be needed between sites
  • 2. GRE tunnels send Unicast Packets that can encapsulate Multicast and Broadcast traffic, which can than be placed into a new IPSec packet as a unicast packet so Multicast and Broadcast traffic can traverse VPN tunnels!

There will be a separate lab for GRE / IPSec that will demonstrate this concept as it is important to know both for the lab and real world as we always want more tools to get the job done!

Tunnel modes for VPN types explained in detail

First to be discussed will be the two Transport Modes, as they are hiding a field switcheroo in the packet fields you’d overlook at first glance:

  • 1. Tunnel mode will encrypt the packet, and place that packet into a new packet, which will then route on agreed IP addresses between the Tunnel Endpoints
  • 2. Transport mode will encrypt the IP packets payload, but the IPSec Header is inserted behind the IP Header, exposing the source address of the data, and only truly secures data from the Transport Layer up as the Source IP is used

So if you are not looking again at that top illustration and saying “Oh, I didn’t see that, good to know” you either already know it or did not understand what you just read 🙂

AH Tunnel / Transport Mode explained in detail

First we will review the 2 different flavors of AH Packets, explained from most protect to least, with details about each segments purpose:

  • AH Tunnel Mode = Ethernet Header | New IP Header | AH Header| IP Header | TCP/UDP Header | Payload
  • 1. Ethernet Header = Encapsulates Ethernet Frame
  • 2. New IP Header = Usually IP of the Security Gateway / Peer IP
  • 3. AH Header = Security, Data Origin Authentication, optional Anti-Replay Protection (No Data Confidentiality / Encryption)
  • 4. IP Header = Source IP Address
  • 5. TCP/UDP Header = Port information, for a quick read on  TCP vs UDP Headers that link is gold for a brief but concise comparison
  • 6. Data / Payload = “Blah blah blah”

 

  • AH Transport Mode = Ethernet Header | IP Header | AH Header | TCP/UDP Header | Payload
  • 1. Ethernet Header = Encapsulates Ethernet Frame
  • 2. AH Header = Security, Data Origin Authentication, optional Anti-Replay Protection (No Data Confidentiality / Encryption)
  • 3. IP Header = Source IP Address
  • 4. TCP/UDP Header = Port information, for a quick read on  TCP vs UDP Headers that link is gold for a brief but concise comparison
  • 5. Data / Payload = “Blah blah blah”

It is a viable VPN solution to use, as it will protect the IP Packets payload, however the Authentication it provides is not complete. As some of the IP Header fields may be changed in transmission,  the receiver cannot accurately predict the IP fields, thus making it complete but it still offers all attributes mentioned in the AH Header.

The one big strike against AH is that although it does protect the data Payload and is considered secure, the Payload is NOT encrypted so AH is considered non-Confidential.

The IP Header:

ipv4_header

The Authentication Header:

AH_Header

Next is the two more secured options of ESP, offering an ESP Header / Trailer, as well as ESP Authentication – Lets review both again, most secure to least:

  • ESP Tunnel Mode = Ethernet Header | New IP Header | ESP Header| IP Header | TCP/UDP Header | Payload | ESP Trailer | ESP Authentication
  • 1. Ethernet Header = Encapsulates Ethernet Frame
  • 2. New IP Header = Usually IP of the Security Gateway / Peer IP
  • 3. IPSec / ESP Header = Encapsulates data / Encryption, Data Confidentiality
  • 4. IP Header = Source IP Address
  • 5. TCP/UDP Header = Port information, for a quick read on  TCP vs UDP Headers that link is gold for a brief but concise comparison
  • 6. Data / Payload = “Blah blah blah”
  • 7. ESP Trailer = Encapsulates Data / Padding
  • 8. ESP Authentication =  Authentication Data / Hash Checksum

 

  • ESP Transport Mode = Ethernet Header | IP Header | ESP Header | TCP/UDP Header | Payload | ESP Trailer | ESP Authentication
  • 1. Ethernet Header = Encapsulates Ethernet Frame
  • 2. IP Header = Source IP Address
  • 3. IPSec / ESP Header = Encapsulates data / Encryption, Data Confidentiality
  • 4. TCP/UDP Header = Port information, for a quick read on  TCP vs UDP Headers that link is gold for a brief but concise comparison
  • 5. Data / Payload = “Blah blah blah”
  • 6. ESP Trailer = Encapsulates Data / Padding / Pad Length / Next Header
  • 7. ESP Authentication =  Authentication Data / Hash Checksum

Now I want to post the image at the top right here for quick comparison among all of these different methods of VPN / Modes:

VPN_Headers

So as can be seen, ESP is highly preferred over AH if you have the resources to run it, and that “Tunnel” mode is preferred over “Transport” mode because it keeps the Source IP Address secure.

Here is an image that I thought was very visual and helpful to seeing the difference in ESP Tunnel vs Transport mode:

IP_Security_IPSec_ESP_01

I am completely fried so that will be it for thd packet details, next DEEP Dive will be GRE over IPSec lab to see if we can brainwash the configuration just like all of this information – I can’t wait 🙂