Generic Routing Encapsulation - GRE
Most of the intrusions happen as communication channels have multiple mediatory points/nodes during communication. But what if we could eliminate them? Yes, that’s right. Try GRE if you are willing to create a direct network point to protect the data packets.
Read this guide to know more about it. Let’s begin the guide with knowing the GRE meaning.
What is GRE?
GRE, or Generic Routing Encapsulation, is a famous protocol wherein data is encapsulated so that it’s easy to route the data to other protocols over the internet. Defined by REC 2784, this protocol has great utility in situations when IP packets require transmitting between 2 networks without the help of any router or being treated like an actual IP packet.
The advantages of using this communication protocol are:
- Better workarounds
- Connectivity with disintegrated sub-networks
- Compatibility with VPNs
What Does Tunneling GRE Mean?
When one tries to understand GRE fully, it’s obvious to encounter the concept of GRE tunneling as it’s the core concept here. The simplest explanation for it is the process of packet-encapsulation.
GRE features GRE tunnels. These are commonly configured between 2 routers. Both of them behave like two ends of a tunnel.
The key function of these routers is to forward and fetch the GRE packet without interruption or mediators. No router is allowed to access the encapsulated packets. To make sure that the packet reaches the right destination, routers are only allowed to refer to the headers of the packets. No other information is accessible.
Now, one might wonder why we call this method ‘tunneling’. To understand this fully, let’s take an example of a truck that has to commute from a point to next. Suppose both these points are on opposite sides of a mountain, and the only viable route is to pass through the mountain.
But it’s not possible for any normal truck to pass through a rocky mountain. So, the driver has to take an alternative route. What if there is a tunnel in the mountain that will allow the truck to cross the mountain? With the help of a tunnel, traveling will become easy and feasible.
Imagine the same scenario in terms of networking. The two destination points are now two internet-connected devices; the mountain is the network. The truck will become data that has to travel. When there is an incompatibility in the network and the data-packet type, data packets have to take an alternate route to reach the other device.
GRE is useful for creating a tunnel in such a case. As GRE works like a tunnel that allows unsupportive data packets to pass easily, it’s known as a tunneling protocol.
Transporting Data Through The GRE Tunnel
Let’s now understand how this process works. Basically, 2 networks supporting the safe travel of the data connect virtually through the GRE’s passage. The tunnel has no restrictions or obligations imposed on the traveled data.
Hence, data is transmitted directly from one device to another. The virtual world here means that there is no direct interaction between payloads. The data is traveled using the routers and is pushed until it reaches the destination.
The configuration of the GRE tunnel takes place at the router level and tends to vary according to the service and hardware type used for the configuration. The base of the GRE tunnel configuration is setting up a tunneling interface of IPs and supplying public IP addresses on both tunnel ends.
While you’re configuring GRE it’s important to make sure that you have whitelisted the sourced IP address in the firewall. The whitelisting should take place at both tunnel ends.
One best practice to adopt here is to eliminate the tunnels before the firewall. This way, it’s possible to examine the insider packets.
Next, you need to make sure that the MTU is within the limit. You have to predefine the MTU. The general MTU limit is 1,500 bytes. But, when you’re using GRE, you have to leave space for the GRE header, which is 24 bytes in size.
As the traffic flow within a GRE tunnel is symmetric and the recommended MTU setting is 1400 bytes.
GRE and MTU and MSS Requirements
GRE usage and its efficacy largely depend on the MSS and MTU of the network. Hence, we recommend knowing these requirements before you start using this protocol. For beginners, MTU is the measurement of the total packet size while MSS is the payload measurement.
If data exceeds the MTU limit then it will be auto-fragmented into smaller sections so that they are easy to process.
When you use GRE, a few bytes are auto-added to the actual data packet size. One can check the increase by accessing the MTU and MSS settings of the data. The average size of the GRE header is 24 bytes and if the data with 1,500 bytes MTU and 1,460 MSS value is used and processed with GRE, the MTU and MSS limit will extend.
In that case, the data packet will be fragmented and packet delivery speed will be slow. Hence, the end-user will require more computing power to operate.
One viable way to fix this issue is to reduce the MSS size so that the GRE header is easily accommodated. But, the evident downside of this process is that the payload will become a little small. In that case, more packets will be required to deliver the data. Hence, one has to strategize and set the MTU and MSS requirements for data accordingly.
GRE and DDoS attacks
When used in full capacity, GRE tunneling is highly useful to plan DDoS attacks, completely or partially. As we all know, DDoS attacks involve jamming a network or website server so much so that it becomes inaccessible for verified users.
A skilled hacker can build a botnet and use GRE to control them as a DDoS attack is planned.
GRE and IPSec
As both GRE and IPSec involve IP encapsulation, it’s obvious to compare these two concepts.
While these two protocols may have some common ground, they are not the same. Let’s understand how.
What is IPSec?
We can define it as an IP Security suit that has various protocols. ESP (Encapsulating Security Payload) is the closest match to GRE. Also called RFC 2406, it uses encryption for the encapsulated data’s security. So, whenever it’s about IP packets need to be exchanged between two devices and need safety as well, IPSec is preferred.
It increases the IP packet’s length by adding one more IP header, while the header’s length is decided by the IPSec configuration used (<58 bytes).
IPSec has 2 modes: Tunnel (default) mode safeguards the IP packet by adding the IPSec trailer and header, and Transport mode protects the payload.
Let’s have a look at this table to have a clear idea of how IPSec differs from GRE.
With GRE, it’s easy to encapsulate the data so that it’s easy to route other protocols. It’s easy to use and encapsulate the payloads. However, it lacks encryption. So, if you need data security, go with IPSec, as it offers encryption.
RFC 2784: Generic Routing Encapsulation (GRE) - rfc-editor.org
RFC 2406: IP Encapsulating Security Payload (ESP) - rfc-editor.org
Subscribe for the latest news
Our recent webinar with the industry overview and product demo.
Solution brief on protecting apps and APIs with Wallarm.