Configuring GRE Tunnels over IPsec参考.ppt

IPsec VPNs Configuring GRE Tunnels over IPsec Generic Routing Encapsulation OSI Layer 3 tunneling protocol:OSI第三层隧道协议: Uses IP for transport使用IP传输 Uses an additional header to support any other OSI Layer 3 protocol as payload (e.g., IP, IPX, AppleTalk)使用附加的报头支持其它的第三层的协议,其它的第三层的协议被作为负载(如IP,IPX,AppleTalk) Default GRE Characteristics Tunneling of arbitrary OSI Layer 3 payload is the primary goal of GRE Stateless (no flow control mechanisms) No security (no confidentiality, data authentication, or integrity assurance) 24-byte overhead by default (20-byte IP header and 4-byte GRE header) Optional GRE Extensions GRE can optionally contain any one or more of these fields: Tunnel checksum Tunnel key Tunnel packet sequence number GRE keepalives can be used to track tunnel path status. GRE Configuration Example GRE tunnel is up and protocol up if: Tunnel source and destination are configured Tunnel destination is in routing table GRE keepalives are received (if used) GRE is the default tunnel mode. Introducing Secure GRE Tunnels GRE is good at tunneling:GRE隧道优点: Multiprotocol support多协议的支持 Provides virtual point-to-point connectivity, allowing routing protocols to be used提供了虚拟的点到点的连接,允许使用路由协议 GRE is poor at security—only very basic plaintext authentication can be implemented using the tunnel key (not very secure)GRE的安全性不高—通过隧道密钥仅仅可以支持基本的明文认证(非常不安全) Introducing Secure GRE Tunnels (Cont.) GRE cannot accommodate typical security requirements:GRE不能提供典型安全的特性: Confidentiality机密性 Data source authentication数据源的认证 Data integrity数据完整性 IPsec Characteristics IPsec provides what GRE lacks:IPsec能够提供GRE无法实现的如下安全特性: Confidentiality through encryption using symmetric algorithms (e.g., 3DES or AES)通过使用对称式的加密算法实现数据的机密性(如3DES或AES) Data source authentication using HMACs (e.g., MD5 or SHA-1)使用HMACs实现数据的源认证(如MD5或SHA-1) Data integrity verification using HMACs同时HMACs还提供的数据完整性的确认 IPsec Characteristics (Cont.) IPsec is not perfect at tunneling:当以隧道方式工作时,IPsec并不是最好的: Older Cisco IOS so