Join us at San Diego API Security Summit 2024!
Join us at San Diego API Security Summit 2024!
Join us at San Diego API Security Summit 2024!
Join us at San Diego API Security Summit 2024!
Join us at San Diego API Security Summit 2024!
Join us at San Diego API Security Summit 2024!
Close
Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
/
/
DevSecOps

Generic Routing Encapsulation - GRE

Most of the intrusions happen as communication channels have multiple mediatory points/nodes during communication. But what if we could eliminate them? Yes, that’s right. Try GRE if you are willing to create a direct network point to protect the data packets. 

Read this guide to know more about it. Let’s begin the guide with knowing the GRE meaning.

Generic Routing Encapsulation - GRE

What is GRE?

GRE, or Generic Routing Encapsulation, is a famous protocol wherein data is encapsulated so that it’s easy to route the data to other protocols over the internet. Defined by REC 2784, this protocol has great utility in situations when IP packets require transmitting between 2 networks without the help of any router or being treated like an actual IP packet.

The advantages of using this communication protocol are: 

  • Better workarounds 
  • Connectivity with disintegrated sub-networks 
  • Compatibility with VPNs 

What Does Tunneling GRE Mean?

When one tries to understand GRE fully, it’s obvious to encounter the concept of GRE tunneling as it’s the core concept here. The simplest explanation for it is the process of packet-encapsulation. 

GRE features GRE tunnels. These are commonly configured between 2 routers. Both of them behave like two ends of a tunnel.

The key function of these routers is to forward and fetch the GRE packet without interruption or mediators. No router is allowed to access the encapsulated packets. To make sure that the packet reaches the right destination, routers are only allowed to refer to the headers of the packets. No other information is accessible.

Now, one might wonder why we call this method ‘tunneling’. To understand this fully, let’s take an example of a truck that has to commute from a point to next. Suppose both these points are on opposite sides of a mountain, and the only viable route is to pass through the mountain.

But it’s not possible for any normal truck to pass through a rocky mountain. So, the driver has to take an alternative route. What if there is a tunnel in the mountain that will allow the truck to cross the mountain? With the help of a tunnel, traveling will become easy and feasible.

Imagine the same scenario in terms of networking. The two destination points are now two internet-connected devices; the mountain is the network. The truck will become data that has to travel. When there is an incompatibility in the network and the data-packet type, data packets have to take an alternate route to reach the other device.

GRE is useful for creating a tunnel in such a case. As GRE works like a tunnel that allows unsupportive data packets to pass easily, it’s known as a tunneling protocol.

Transporting Data Through The GRE Tunnel

Transporting Data Through The GRE Tunnel

Let’s now understand how this process works. Basically, 2 networks supporting the safe travel of the data connect virtually through the GRE’s passage. The tunnel has no restrictions or obligations imposed on the traveled data.

Hence, data is transmitted directly from one device to another. The virtual world here means that there is no direct interaction between payloads. The data is traveled using the routers and is pushed until it reaches the destination.

GRE Configuration

The configuration of the GRE tunnel takes place at the router level and tends to vary according to the service and hardware type used for the configuration. The base of the GRE tunnel configuration is setting up a tunneling interface of IPs and supplying public IP addresses on both tunnel ends.

While you’re configuring GRE it’s important to make sure that you have whitelisted the sourced IP address in the firewall. The whitelisting should take place at both tunnel ends.

One best practice to adopt here is to eliminate the tunnels before the firewall. This way, it’s possible to examine the insider packets.

Next, you need to make sure that the MTU is within the limit. You have to predefine the MTU. The general MTU limit is 1,500 bytes. But, when you’re using GRE, you have to leave space for the GRE header, which is 24 bytes in size.

As the traffic flow within a GRE tunnel is symmetric and the recommended MTU setting is 1400 bytes.

GRE and MTU and MSS Requirements

GRE usage and its efficacy largely depend on the MSS and MTU of the network. Hence, we recommend knowing these requirements before you start using this protocol. For beginners, MTU is the measurement of the total packet size while MSS is the payload measurement.

If data exceeds the MTU limit then it will be auto-fragmented into smaller sections so that they are easy to process.

When you use GRE, a few bytes are auto-added to the actual data packet size. One can check the increase by accessing the MTU and MSS settings of the data. The average size of the GRE header is 24 bytes and if the data with 1,500 bytes MTU and 1,460 MSS value is used and processed with GRE, the MTU and MSS limit will extend.

In that case, the data packet will be fragmented and packet delivery speed will be slow. Hence, the end-user will require more computing power to operate.

One viable way to fix this issue is to reduce the MSS size so that the GRE header is easily accommodated. But, the evident downside of this process is that the payload will become a little small. In that case, more packets will be required to deliver the data. Hence, one has to strategize and set the MTU and MSS requirements for data accordingly.  

GRE and DDoS attacks

When used in full capacity, GRE tunneling is highly useful to plan DDoS attacks, completely or partially. As we all know, DDoS attacks involve jamming a network or website server so much so that it becomes inaccessible for verified users.  

A skilled hacker can build a botnet and use GRE to control them as a DDoS attack is planned.

GRE and IPSec

As both GRE and IPSec involve IP encapsulation, it’s obvious to compare these two concepts.

While these two protocols may have some common ground, they are not the same. Let’s understand how.

What is IPSec?

We can define it as an IP Security suit that has various protocols. ESP (Encapsulating Security Payload) is the closest match to GRE. Also called RFC 2406, it uses encryption for the encapsulated data’s security. So, whenever it’s about IP packets need to be exchanged between two devices and need safety as well, IPSec is preferred.

It increases the IP packet’s length by adding one more IP header, while the header’s length is decided by the IPSec configuration used (<58 bytes).

IPSec has 2 modes: Tunnel (default) mode safeguards the IP packet by adding the IPSec trailer and header, and Transport mode protects the payload.

Comparison Table

Let’s have a look at this table to have a clear idea of how IPSec differs from GRE.

GRE vs IPSec

Comparison FactorGREIPSec
Key UsageIt’s used in the encapsulation of data packets to route them over other IP networks.A standards-based protocol. Used when IP packets need security and authentication.
Models12 modes (Tunnel & Transfer)
Data privacy and integrityNo support. It doesn’t involve encryptionIPSec encrypts data throughout the process to ensure privacy.
EncapsulationWorks for payloads of the data packets only.Different modes encapsulate different parts of a data packet
IP header sizeExtra 4 bytes in the IP headerDoes not affect the size/bytes
Protocols and ports usedIP protocol number 47Uses ESP and AH. UDP Port 500 is used for negotiations.
Governing standardsRFC 2784 StandardsRFC 2406 Standards
Ease of usageVery easy to use and has a simple learning curveIt’s complex to implement

Final say

With GRE, it’s easy to encapsulate the data so that it’s easy to route other protocols. It’s easy to use and encapsulate the payloads. However, it lacks encryption. So, if you need data security, go with IPSec, as it offers encryption.

FAQ

Subscribe for the latest news

Updated:
June 25, 2024
Learning Objectives
Subscribe for
the latest news
subscribe
Related Topics