Understanding Virtual Private Networks
Tunneling: Generic Route Encapsulation (GRE)
GRE, or Generic Routing Encapsulation, is
the standard solution for Service Providers that have an established
IP network and want to provide managed IP VPN services.
One of the most significant advantages of this approach is
that Service Providers can offer application-level QoS. This
is possible because the routers still have visibility into
the additional IP header information needed for fine-grained
QoS (this is hidden in an IPSec packet).
Traffic is restricted to a single provider’s network,
allowing end-to-end QoS control. This restriction of “on-net
only” traffic also allows the GRE tunnels to remain
secure without using encryption. Customers who require greater
levels of security can still use “on-demand” application-level
encryption such as secure connections in a web browser. The
entire connection may be encrypted, but at the cost of QoS
In summary, GRE offers:
- Encryption-optional tunneling.
- Fine-grained QoS service capabilities,
including application-level QoS.
- IP-level visibility makes this the platform
of choice for building value-added services such as application-level
What Is IPSec?
IPSec provides IP network-layer encryption.
IPSec is a standards-based technology that governs security
management in IP environments. Originally conceived to solve
scalable security issues in the Internet, IPSec establishes
a standard that lets hardware and software products from many
vendors interoperate more smoothly to create end-to-end security.
IPSec provides a standard way to exchange public cryptography
keys, specify an encryption method (e.g., data encryption
standard (DES) or RC4), and specify which parts of packet
headers are encrypted.
What is Internet Key Exchange (IKE)?
IPSec assumes that a security association
is in place, but does have a mechanism for creating that association.
The IETF chose to break the process into two parts: IPSec
provides the packet level processing while IKE negotiates
security associations. IKE is the mechanism IPSec uses to
set up SAs
IKE can be used for more than just IPSec. IPSec is its first
application. It can also be used with S/Mime, SSL, etc.
IKE does several things:
- Negotiates its own policy. IKE has several
methods it can use for authentication and encryption. It is
very flexible. Part of this
is to positively identify the other side of the connection.
- Once it has negotiated an IKE policy,
it will perform an exchange of key-material using authenticated
- After the IKE SA is established, it will
negotiate the IPSec SA. It can derive the IPSec key material
with a new Diffie Hellman or
by a permutation of existing key material.
Summarize that IKE does these 3 things:
- Negotiation of policy
- Exchange key material