Evaluation of DDoS attacks generated on mobile devices and their effect on the ISP's network
Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
Transcript of Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
1/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
1 - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
erformance Analsis on the %ecurit of 3eneric Routin.
4ncapsulation (3R4) V4R I%5% &et/or6%eth Alorno1and 7ichael Asante2
1
I$C$8 9irectorate, :oforidua oltechnic2Computer %cience 9epartment, :&;%8, :umasi1!i.seth10
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
2/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
2 - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
customers who are not concerned aout the internal tunnelin$ architecture at the ISP end. Customers
then ha#e the %le)iilit! to con%i$ure or recon%i$ure their IP architecture ut still maintain connecti#it!. It
creates a #irtual point+to+point link to routers at remote points o#er an IP internetwork-,/.
II$ 34&4RIC R;8I&3 4&CA%;EA8I&
Generic routin$ encapsulation 'GRE( is a tunnelin$ protocol de%ined in R2C -34/ and R2C /351. It was
ori$inall! de#eloped ! Cisco S!stems %or creatin$ a #irtual point+to+point link to Cisco routers at remote
points o#er an IP internetwork 6, 7, 3. GRE supports multiprotocol tunnelin$. It can encapsulate
multiple protocol packet t!pes inside an IP tunnel. *ddin$ an additional GRE header etween the pa!load
and the tunnelin$ IP header pro#ides the multiprotocol %unctionalit!. IP tunnelin$ usin$ GRE enales
network e)pansion ! connectin$ multiprotocol su+networks across a sin$le+protocol ackone
en#ironment. GRE also supports IP multicast tunnelin$. Routin$ protocols that are used across the tunnel
enale d!namic e)chan$e o% routin$ in%ormation in the #irtual network 5 8.
III$
>A%IC 3R4 I 4A94R CARAC84RI%8IC
2i$ure - depicts the %ormat o% a GRE header in a network packet tra#ersin$ o#er a network. The GRE
header is encapsulated in a pa!load %ound in etween the source and destination IP header. These
pa!loads do not add an! securit! protocol in the IP header hence renders the GRE packet not a secured
medium %or communication 8, -4.
3R4 fla.sDThe GRE %la$s are encoded in the %irst two octets. 9it 4 is the most si$ni%icant it, and it -6 is
the least si$ni%icant it. Some o% the GRE %la$s include the %ollowin$:
Chec6sum resent (!it 0)DI% the Checksum Present it is set to -, the optional checksum %ield is
present in the GRE header.
:e resent (!it 2)DI% the ;e! Present it is set to -, the optional ;e! %ield is present in the GRE
header.
%eBuence &um!er resent (!it ')DI% the Se
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
3/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
' - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
e)tended GRE headers also do not pro#ide the securit! needed to secure data transmission -/, -0,
-1.
8unnel chec6sumD The tunnel checksum detects packet corruption. This option is not used o%ten
ecause checksums are used on other la!ers in the protocol stack, t!picall! to ensure the accurac! o% the
GRE packets.
8unnel 6eDCan e used %or two purposes:
The tunnel ke! can e used %or asic plainte)t authentication o% packets in which onl! the two GRE
endpoints share a secret numer that enales the tunnel to operate properl!. Howe#er, an!one in the
packet path can easil! see the ke! and e ale to spoo% tunnel packets. * more common use o% the tunnel
ke! is when two routers want to estalish parallel tunnels sourced %rom the same IP address. The tunnel
ke! is then used to distin$uish etween GRE packets elon$in$ to di%%erent tunnels.
8unnel seBuence num!erD This numer is used to ensure that GRE packets are accepted onl! i% the
packets arri#e in the correct order. The main %unction o% GRE is to pro#ide power%ul !et simple tunnelin$.
GRE supports an! &SI =a!er 0 protocol as pa!load, %or which it pro#ides #irtual point+to+point
connecti#it!. GRE also allows the use o% routin$ protocols across the tunnel --, -/, -0,
-6,-7,-3.The main limitation o% GRE is that it lacks an! securit! %unctionalit!. GRE onl! pro#ides
asic plainte)t authentication usin$ the tunnel ke!, which is not secure, and tunnel source and
destination addresses.
Fi.ure 2D 4@tended 3R4 header (Adapted from Cisco %stems, 2010)
V$ 7489E3G
The method adopted in this work is the structural desi$n and the simulation o% GRE tunnel network.GNS0
so%tware was used to simulate the network with Cisco routers runnin$ ori$inal Internetwork &peratin$
S!stem 'I&S(. Network de#ice con%i$uration and penetration testin$ can e estalished when usin$ GNS0.
Routers used in the simulation are Cisco routers. Comparati#e anal!sis and penetration testin$ was done
to check the securit! le#el o% a GRE tunnels. &pen source Network Protocol *nal!>er 'wireshark( '&pen
source Network Protocol *nal!>er -7 was used to capture tra%%ic tra#ersin$ o#er the Ser#ice Pro#ider
network %or %urther anal!sis and interpretation.
%imulated Virtual Ea!
In the simulated #irtual la, a site+to+site GRE tunnel VPN was con%i$ured with Cisco routers runnin$ I&S
'Internetwork &peratin$ S!stem( #ersion -/.1. &nce con%i$ured, the VPN tra%%ic etween Router - on
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
4/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
- 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
inter%aces Router - and Router / was captured usin$ wireshark %or %urther processin$ and anal!sis. Each
o% the simulated networks connects to an Internet Ser#ice Pro#ider 'ISP(.The Internet Ser#ice Pro#ider
onl! pro#ides internet suscription to the client 'institution(.The simulated network will pro#ide
institutional connecti#it! to remote sites o#er the internet. * stud! into Ser#ice Pro#iders network
architectural desi$n outline certain con%i$uration parameters which allows internet suscription %rom
client and other IP ser#ices hosted ! the Ser#ice Pro#ider. This paper has simulated those architectural
desi$ns o% Ser#ice Pro#iders to allow connecti#it! to client.
2i$ure 0 illustrates the topolo$ical simulated network used to desi$n the network in%rastructure. The ISP
has two routers 'ISP- and ISP /(.ISP - connects router - and ISP / connects router /. Router - and / are
considered as the ed$e routers and a client to the ISP. The ISP has a serial connection %rom ISP - to
ISP/.ISP - connects its ed$e router throu$h a %astethernet 4?4 inter%ace and ISP/ connects its ed$e
router throu$h a %astethernet 4?4 inter%ace. The ISP pro#ides onl! internet access to router - and /'ed$e
de#ices(. * #irtual cloud adaptor %rom %i$ure 1 was used to #irtuali>ed the ph!sical inter%ace o% a laptop
network adaptor to a =oopack adaptor inter%ace. This #irtuali>ation enaled a laptop adaptor to e part
o% the simulated network.
Fi.ure 'D %imulated 3R4 tunnel net/or6 (Authors)
VI$ C&FI3;RA8I& F 84 &48HR: I&84RFAC4 A99R4%%4% (%84 &4)
* loopack and a tunnel inter%ace was con%i$ured on router - and router / %astethernet and the serial
inter%aces. 2astethernet 4?4 on router - was con%i$ured with the IP address /44.-.-.- and a sunet
mask /66./66./66.4.The IP address con%i$ured on %astethernet 4?4 is the out ound inter%ace connected
to the ser#ice pro#ider 'ISP-( %or internet access. =oopack inter%ace 4 was con%i$ured with the IPaddress -.-.-.- and a sunet mask /66./66./66.4.The loopack inter%ace represent all internal hosts
connected to router -. Router / was also con%i$ured with the same parameters. The loopack inter%ace
was assi$ned the IP /./././ and a sunet mask /66./66./66.4.2astethernet 4?4 connects to Internet
Ser#ice Pro#ider 'ISP/( %or internet access. 2astethernet 4?4 was assi$ned the IP /44.-././ and a sunet
mask /66./66./66.4.* @no shutdownA command was issued on each o% the con%i$ured inter%ace to
acti#ate the inter%aces.
* tunnel inter%ace 'tunnel 4( on router - and router / which will e was to transport GRE packets %rom
router - and router / which was con%i$ured with the IP -/.-/.-/.- and -/.-/.-/./ respecti#el!. Tunnel 4
was #irtuali>ed with the ph!sical inter%ace %astethernet 4?4 to transport packets %low throu$h theph!sical inter%ace connected to the Internet Ser#ice Pro#ider 'ISP(. The command @tunnel source
/4.-.-.- and a tunnel destination /44.-././A was issued on oth routers to connect the tunnel 'tunnel 4(
inter%ace to the ph!sical inter%ace to transport packets to the ISP. Con%i$ured tunnel 4 on router - and
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
5/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
# - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
router two '/( will e the transport medium to %orward all VPN tra%%ic throu$h the ISPBs network.ISP
'Internet Ser#ice Pro#ider( network as shown in %i$ure -1 was simulated with two routers, ISP- and
ISP/. ISP - has two inter%aces, inter%ace %astethernet 4?4 and inter%ace serial -?4.Inter%ace %astethernet
4?4 connects router - and inter%ace serial -?4 connects ISP /. 2astethernet 4?4 was con%i$ured on ISP -
router with the IP address /44.-.-./ and a sunet mask /66./66./66.4,inter%ace serial 4?4 also
con%i$ured with the IP address /44.--.//.- with sunet mask /66./66./66./6.Each con%i$ured inter%aces
were issued with the command @no shut downA to acti#ate the inter%aces.ISP/ router has two inter%aces,
inter%ace %astethernet 4?4 and inter%ace serial -?4.Inter%ace %astethernet 4?4 connects router - and serial
-?4 connects ISP/ serial inter%ace -?4. Inter%ace %astethernet 4?4 was con%i$ured with the IP address
/44.-.-.- with a sunet mask /66./66./66.4 and inter%ace serial -?4 with an IP address /44.--.//./
sunet /66./66./6/.* @no shut down commandA was issued on each inter%aces to acti#ate the inter%ace.
VII$ C&FI3;RA8I& F R;8I&3 R8CE & CEI4&8 R;84R%(%842)
In order to maintain connecti#it! etween remote networks, EIGRP was con%i$ured to route packets
etween all networks in the dia$ram. *ll connected sunets were added into the EIGRP autonomous
s!stem on e#er! router. The command:
Router ei$rp -
Network -4.4.4.4
Network -/.4.4.4
Network -8/.-75.4.4
The command @router ei$rp -A enales and acti#ates Enhanced Interior Gatewa! Routin$ Protocol
'ElGRP( under one '-( *utonomous S!stem on router one '-(, the command network
-4.4.4.4,-/.4.4.4.-8/.-75.4.4 ad#ertises the network which is directl! connected to router -, to the ISP
one '-( network.The command @router ei$rp-
Network -/.4.4.4
Network /.4.4.4
Network -8/.-75.4.4
The command @router ei$rp -A enales and acti#ates Enhances Interior Gatewa! Routin$ Protocol under
one '-( *utonomous S!stem on router /, the command network -/.4.4.4, /.4.4.4 , -8/.-75.4.4 ad#ertises
the network which is directl! connected to router /, to the ISP/ network. Con%i$urin$ autonomous
s!stem enales ei$rp to e under one administrati#e control.
VIII$ C&FI3;RI&3 R;8I&3 R8CE & I% R;84R%(%84')
The simulated network has two routers which estalish connecti#it! to oth clients 'router - and router
/(. Routin$ In%ormation Protocol #ersion / 'RIP,#/( was con%i$ured on the ISPBs routers. This enales the
ISP router recei#es network ad#ertisement %rom router - and router / network.ISP- router has two main
inter%aces, inter%ace %astethernet 4?4 and inter%ace serial 4?-.Inter%ace %astethernet 4?4 is directl!
connected to router -and inter%ace serial 4?- connected to ISP/ network. ISP - router was con%i$ured
with the command
Router rip #ersion /
Network /44.-.-.4
Network /44.--.//.4
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
6/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
- 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
ISP / router has two main inter%aces, inter%ace %astethernet4?4 and serial 4?-.Inter%ace %astethernet 4?4
is connects router / and inter%ace serial 4?- connects to ISP / network. ISP / router was con%i$ured with
the command
Router rip #ersion /
Network /44.-./.4
Network /44.--.//.4
Networks ad#ertised on ISPBs router are networks which are connected to inter%ace %astethernet 4?4 to
router - and inter%ace serial 4?4 to ISP/ inter%ace. Networks ad#ertised on ISP/ router are networks
which connected to inter%ace %astethernet 4?4 to router / and inter%ace serial 4?4 to ISP-.
* pin$ command was issued %rom router - to the #arious con%i$ured inter%ace to #eri%! that connecti#it!
across local sunets usin$ the pin$ command was reachale. *ll pin$ commands sent were all success%ul.
Step one '-( to step three '0( are the processes used to simulate the GRE tunnel %rom router - throu$h
the ISPBs network to router /.
I$ &48HR: I&84RFAC4 794%(I&84RFAC4 4RA8I& & R;84R &4)
The command Dshow ip inter%ace rie%B was issued on router one '-( and the output shown in %i$ure 1
was otained. 2astethernet 4?4 with an IP address /44.-.-.- connects to the ISP one '-( network which
shows that the interconnecti#it! etween the client router and the ser#ice pro#ider is acti#e 'up( whiles
the protocol supportin$ the inter%ace is also acti#e 'up(.Inter%ace tunnel 4 con%i$ured %or Generic Routin$
Encapsulation 'GRE( is also acti#e 'up(.
2i$ure 1: Inter%ace Con%i$uration &peration '*uthors(
Interface Confi.uration peration n Router 8/o (2)
The command Dshow ip inter%ace rie%B was issued on router two 'R/( and the output shown in %i$ure 6.
2astethernet 4?4 with an IP address /44.-.-./ connects to the ISP two 'ISP /( network which shows that
the interconnecti#it! etween the client router and the ser#ice pro#ider is acti#e 'up( whiles the protocol
supportin$ the inter%ace is also acti#e 'up(.Inter%ace tunnel 4 con%i$ured %or Generic Routin$
Encapsulation 'GRE( is also acti#e 'up(.Clients connected to router one '-( can tunnel throu$h 'tunnel 4(
the ISPBs network to router two '/(.Hence the tunnel connecti#it! etween router one '-( and router two
'/( can e estalished throu$h the tunnel inter%aces.
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
7/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
+ - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
2i$ure 6: Inter%ace Con%i$uration &perations '*uthors(
$ 84%8I&3 R;8I&3 C&FI3;RA8I&% & I%% R;84R%
The command Dshow ip routeB was issued on ISP - router and the output shown in %i$ure 7. ISP - router
has the ao#e con%i$uration in its routin$ tale, pulic Internet Protocol 'IP( /44.--.//.4 is directl!
connected 'C( to inter%ace serial 4?4. Internet Protocol /44.-./.4 is also directl! connected to %astethernet
4?4 inter%ace. This directl! connected inter%ace indicate the interconnecti#it! etween the client router
and the ISPBs network. Routin$ In%ormation Protocol 'R( ad#ertises the /44.-./.4 network throu$h the
serial 4?4 inter%ace with administrati#e distance o% -/4 and a metric #alue o% - '-/4?-($
Fi.ure D Routin. Confi.uration 8estin. (Authors )
Routin. Confi.uration peration n I% 8/o (2)
The command Dshow ip routeB was issued on ISP / router and the output shown in %i$ure 8. ISP two '/(
router has the ao#e con%i$uration in its routin$ tale, pulic Internet Protocol 'IP( /44.--.//.4 is
directl! connected 'C( to inter%ace serial -?4. Internet Protocol /44.-./.4 is also directl! connected to
%astethernet 4?4 inter%ace. This directl! connected inter%aces indicate the interconnecti#it! etween the
client router and the ISPBs network. Routin$ In%ormation Protocol 'R( ad#ertises the /44.-./.4 network
throu$h the serial 4?4 inter%ace with administrati#e distance o% -/4 and a metric #alue o% - '-/4?-(.
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
8/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
- 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
2i$ure 8 : Routin$ Con%i$uration Testin$ '*uthors(
I$ R4%;E8% A&9 A&AEG%I%
*n HTTP reer
'wireshark(
Fi.ure 10D Captured ac6ets ver %imulated I% &et/or6 (Authors)
2i$ure -- also depicts a sample TCP session captured packet which depicts the raw con#ersation
etween the laptop and the we ser#er o#er the tunnel network. ireshark was used to capture and
displa! the Transmission Control Protocol 'TCP( session stream. The TCP session stream option on
wireshark enales packets to e displa!ed in a stream window as shown in %i$ure --.The streamwindow displa!s all packets con#ersation etween two end points . Samples o% all e pro$rammin$
lan$ua$es such as HTF= and PHP are all sent in clear te)t o#er the
Tunnel network.
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
9/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
< - 201#, IJAFRC All Ri.hts Reserved ///$iafrc$or.
Fi.ure 11D Ra/ 8C Conversation on a %imulated 3R4"V& tunnel (Authors)
2i$ure -/ illustrate the 'H!perte)t Transmission Protocol 'HTTP( packets transmitted o#er the GREVPN
tunnel o#er the ISP network. *ll packets sent were ale to reach the destination tunnel, there were no
packet loss durin$ the transmission o#er the simulated tunnel network. Packet loss and s!stem time outwere not recorded in the simulated network. *ll HTTP packet sent were deli#ered and processed ! the
we ser#er.
Fi.ure 12D Hireshar6 88ac6et Counter Eifetime ver 3R4"V& 8unnel(authors)
II$
C&CE;%I&
The notion that Generic Routin$ Encapsulation 'GRE( onl! pro#ides asic plainte)t authentication usin$
the tunnel ke!, which is not secure, and tunnel source and destination addresses does not impl! that
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
10/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
11/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
12/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
13/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
ation or ni#ersit!: ;*FE N;RF*H NIV. &2 SCIENCE *N" TECHN&=&GM
"etailed Post *ddress 'Important(: here Mou want a certi%icate.
;*FE N;RF*H NIV. &2 SCIENCE *N" TECHN&=&GM, "EPT. &2 C&FPTER SCIENCE, ;F*SI, GH*N*
Cit! and State:;F*S
Countr!: GH*N* Postcode: NIV. P.&
Telephone:44/00 /45-757-0 2a):
Foile 'Important(:
Email: mickasstO!ahoo.com
Si$n o% *uthors:
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
14/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
4"mail)
Please complete and si$n this %orm and send it ack to us with the %inal #ersion o% !our manuscript. It is
re
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
15/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+
-
7/24/2019 Performance Analysis on the Security of Generic Routing Encapsulation (GRE) OVER ISP'S Network
16/16
International Journal of Advance Foundation and Research in Computer (IJAFRC)Volume 2, Issue 10, cto!er " 201#$I%%& 2' * #', Impact Factor * 1$'1+