Overview
Our data can take paths through virtual networks on top of physical cabling and infrastructure. The virtual network and the tunnels can be seen as the overlay network whilst the physical conventional hardware and IPs can be seen as the underlay network.
With overlay technologies we can create a channel so that two different networks are able to communicate with each other across areas where destinations would not be directly routable. (We can create private networks across the internet)
The implementation of overlay networks are made possible through technologies such as:
- Generic Routing Encapsulation (GRE):
- IP Security (IPsec):
- Multiprotocol Label Switching (MPLS):
It is important to note that depending on the overlay technology being used, data may not be encrypted as one would believe a tunnel does for example IPsec supports encryption while GRE does not.
Another key point to take note of is that MPLS tunnelling is not supported when implementation across the internet is attempted, unless it is tunnelled within a technology such as IPsec.
GRE
Generic Routing Encapsulation is a tunnelling protocol that supports encapsulation of generic protocols within an IPv4 packet header. This means that you can encapsulate protocols such as IPv6, MPLS, IPv4 or other protocols that have an IPv4 packet header with a GRE tunnel.
Implementation of GRE tunnels take place in 7 steps:
- Create the tunnel interface
- Identify the source of the tunnel, meaning what will be encapsulated and de-encapsulated.
- Identifying the remote destination IP address and setting it as the destination address.
- Allocating an IP address to the tunnel interface.
- If specificity is needed the tunnel bandwidth should also be defined.
- If the tunnel destination is not in the routing table a gre keepalive should be specified.
- Optionally a maximum transmission unit (MTU) value should be specified for the tunnel interface.
IPsec
IPsec is a framework of open standards that allow for the creation of secure private virtual networks. It is widely supported in enterprise networking equipment and therefore it is still being used.
Features of IPsec include:
Peer authentication: The identity of the peer is verified through authentication methods such as a pre-shared key.
Data confidentiality: Data is encrypted, ensuring confidentiality via encryption algorithms and encryption standards such as AES.
Data integrity: Data integrity is ensured through the implementation of hashing algorithms such as SHA-1. Never use MD5.(fingerprinting)
- Replay detection: Every packet is uniquely marked via a sequence number.
IPsec makes use of two different packet headers to deliver packets:
Authentication Header: it does not support encryption however it provides data integrity and authentication. It’s use is not recommended unless authentication is all that is needed.
Encapsulating Security Payload (ESP): The ESP header provides data confidentiality, authentication, and protection from replay attacks. ESP encrypts the original payload (before encapsulation) adding new headers for transport over the public network.
IPsec transport modes
Tunnel Mode: Provides packet based encryption as well as the addition of new IPsec headers to route the packet and provide overlay functionality.
Transport Mode: Provides payload based encryption and authentication without any support for overlay functions.
Transform Sets
During IPsec Security Association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
Transform types include:
- Authentication header transform (only 1 allowed)
- ESP encryption transform (only 1 allowed)
- ESP authentication transform (only one allowed)
- IP compression transform.
Internet Key Exchange (IKE):
- A protocol that performs authentication between two endpoints to establish security associations (SAs), also known as IKE tunnels.
- The security associations are used to carry control plane and data plane traffic for IPsec.
- There are two versions: IKEv1 and IKEv2.
- IKEv1 is still important since it is supported by legacy infrastructure.
IPsec configuration can be broken down into 3 main steps:
- Configure IKE
- Configure IPsec and define the transform sets.
- Configure static virtual tunnel interfaces.
MPLS
MPLS combines the performance capabilities of Layer 2 switching with the scalability of Layer 3 routing.
- MPLS allows efficient delivery of IP services over an ATM switched network.
- MPLS supports the creation of routes between source and destinations on a purely router-based internet Backbone.
- MPLS allows for scaling and you can call on it to help you when you deploy x86 based architecture to speed things up.
Label Switching
With a normal Layer 3 forwarding meachanism a packet will traverse the network and then each router along the line extracts the information needed to forward the packet from the Layer 3 header.
Usually speaking, the .dst header field is the only relevant bit of information needed from the Layer 3 header. In some cases other header fields are relevant. Thus in normal Layer 3 forwarding mechanisms the header should be inspected independently and table lookups should also take place at each hop.
With the implementation of label switching, the layer 3 header inspection is only done once. After the inspection is performed the layer 3 header is then mapped into a fixed, length, unstructured value called a label. (32-bit Shim Header contains the 20 bit label)
Headers can be mapped into the same label as long as the next hop is always the same. A label represents a set of packets no matter how different they are and cannot be viewed differently in terms of forwarding.
At subsequent hops through each MPLS router in each network, labels are swapped and forwarding decisions are made by means of MPLS forwarding table lookups for the label carried in the packet header. MPLS forwarding table lookups are faster than conventional layer 3 lookups.
Label Bindings
Each Label Switching Router makes their own decision to determine a label value to represent a forwarding equivalence class resulting in a label binding. Neighbours are informed of these label bindings that have been made. Label values change as packets traverse the network.
References:
General: Chapter 16 of this book: CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide (oreilly.com)
GRE
IPsec
- IPsec Configuration Guide, Cisco IOS XE 16 (Cisco ASR 920 Series) – Cisco
- Chapter 16 of this book CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide (oreilly.com)
- Kevin Wallace: https://www.youtube.com/live/anm84IVNBZU?si=BNCQhNMYPR4kPLrN
MPLS
- MPLS Basic MPLS Configuration Guide – Multiprotocol Label Switching (MPLS) on Cisco Routers [Cisco ASR 1000 Series Aggregation Services Routers] – Cisco
- Kevin Wallace: https://youtu.be/9WUjfUVBbIA?si=70oHk_Xd5gEVj2Qj