Segurança Em Redes De Comunicações

Traffic Tunnel Concept

Main purposes:

  • Guarantee that a packet that reaches a network node will reach a specific secondary network node independently of the intermediary node's routing processes.

  • Guarantee the delivery of a packet to a remote node when the intermediary nodes do not support the original packet network protocol.

  • Define a virtual channel that adds additional data transport features in order to provide differentiated QoS, security requirements, and/or optimized routing.

Achieved by adding, at the tunnel entry point, one or more protocol headers to the original packets to handle their delivery to the tunnel exit point.

Tunnel End-Points

Virtual Tunnel Interface (VTI)

Logical construction creates a virtual network interface that can be handled as any other network interface within network equipment.

A tunnel does not require to have any network addresses other than the ones already bound to the end-point router.

However, most implementations impose that a network address must be bound to a tunnel interface in order to enable IP processing on the interface.

  • The tunnel interface may have an explicitly bound network address or reuse an address of another interface already configured on the router.

Requirements

A numeric identifier.

A bounded IP address will enable IP processing.

  • Add the tunnel interface to the routing table and allow routing via the interface.

A defined mode or type of tunnel.

  • The availability of tunnel models depends on the Router model, operating software, and licenses.

Tunnel source.

  • Defined as the name of the local interface or IPv4/IPv6 address depending on the type of the tunnel.

Tunnel destination.

  • Defined as a domain name or IPv4/IPv6 address depending on the type of the tunnel.

  • This definition is not mandatory for all types of tunnels because in some cases the tunnel end-point is determined dynamically.

May optionally have additional configurations for routing, security, and QoS purposes.

Loopback Interfaces as End-Points

Loopback interface is another logical construction that creates a virtual network interface completely independent from the remaining physical and logical router network interfaces.

The main purpose of a loopback interface is to provide a network address to serve as a router identifier in remote network configurations and distribute algorithms.

The main advantage of using loopback interfaces as tunnel end-points is the creation of a tunnel not bound to any individual network card/link that may fail.

IP Tunnel Types

  • IPv4-IPv4

    • Original IPv4 packets are delivered using IPV4 as a network protocol.

  • GRE IPv4

    • Original packets protocol (any network protocol) is defined by the GRE header and delivered using IPv4 as a network protocol.

  • IPv6-IPv6

    • Original IPv6 packets are delivered using IPv6 as a network protocol.

  • GRE IPv6

    • Original packets protocol (any network protocol) is defined by a GRE header and delivered using IPv6 as a network protocol.

  • IPv6-IPv4

    • Original IPv6 packets are delivered using IPv4 as a network protocol.

  • IPv4-IPv6

    • Original IPv4 packets are delivered using IPv6 as a network protocol.

Overlay Network

An overlay network can be defined as a virtual network defined over another network.

  • For a specific purpose like private transport/routing policies, QoS, or security.

The underlying network can be physical or also virtual.

  • This may result in multiple layers of overlay networks.

When any level of privacy protocol is present on an overlay network is designated by Virtual Private Network (VPN).

Full/Partial Overlay Mesh

Routing Through/Between Tunnels

Static Routes

Policy Based Routing (route-maps)

Dynamic Routing

Multiple (distinct) routing processes.

  • One per overlay network, and

  • One for the underlying network.

Multipoint Tunnels

In a scenario with many nodes to interconnect, the simpler and more efficient approach is to have a single tunnel that interconnects multiple nodes - a multipoint tunnel.

Directly connect using a single virtual overlay IP network, defined within a multipoint tunnel.

In a multipoint tunnel scenario, the delivery header address is determined based on the address of the next hop within the overlay network.

Address mapping between overlay and underlying network addresses may be statically defined or dynamically obtained.

PreviousX.509 Certificate ContentsNextNext Hop Resolution Protocol (NHRP)

Last updated