GRE, or Generic Routing Encapsulation, is the standard solution for Service Providers that have an established IP network and want to provide managed IP VPN services.
One of the most significant advantages of this approach is that Service Providers can offer application-level QoS. This is possible because the routers still have visibility into the additional IP header information needed for fine-grained QoS (this is hidden in an IPSec packet).
Traffic is restricted to a single provider’s network, allowing end-to-end QoS control. This restriction of “on-net only” traffic also allows the GRE tunnels to remain secure without using encryption. Customers who require greater levels of security can still use “on-demand” application-level encryption such as secure connections in a web browser. The entire connection may be encrypted, but at the cost of QoS granularity.
In summary, GRE offers:
- – Encryption-optional tunneling.
- – Fine-grained QoS service capabilities, including application-level QoS.
- – IP-level visibility makes this the platform of choice for building value-added services such as application-level bandwidth management.
What Is IPSec?
IPSec provides IP network-layer encryption.
IPSec is a standards-based technology that governs security management in IP environments. Originally conceived to solve scalable security issues in the Internet, IPSec establishes a standard that lets hardware and software products from many vendors interoperate more smoothly to create end-to-end security. IPSec provides a standard way to exchange public cryptography keys, specify an encryption method (e.g., data encryption standard (DES) or RC4), and specify which parts of packet headers are encrypted.
What is Internet Key Exchange (IKE)?
IPSec assumes that a security association is in place, but does have a mechanism for creating that association. The IETF chose to break the process into two parts: IPSec provides the packet level processing while IKE negotiates security associations. IKE is the mechanism IPSec uses to set up SAs
IKE can be used for more than just IPSec. IPSec is its first application. It can also be used with S/Mime, SSL, etc.
Sec is its first application. It can also be used with S/Mime, SSL, etc.
IKE does several things:
– Negotiates its own policy. IKE has several methods it can use for authentication and encryption. It is very flexible. Part of this is to positively identify the other side of the connection.
– Once it has negotiated an IKE policy, it will perform an exchange of key-material using authenticated Diffie-Hellman.
– After the IKE SA is established, it will negotiate the IPSec SA. It can derive the IPSec key material with a new Diffie Hellman or by a permutation of existing key material.
Summarize that IKE does these 3 things:
- – Identification
- – Negotiation of policy
- – Exchange key material