GRE vs IPSec: Detailed Comparison

Rashmi Bhardwaj | Blog,Security
Advertisements

In this blog, we will discuss GRE vs IPSec in detail. Before that lets explore the the both types of protocols in  brief.

What is GRE?

Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks. GRE is defined by RFC 2784.

Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

Advertisements

GRE works by encapsulating a payload — that is, an inner packet that needs to be delivered to a destination network — inside an outer IP packet. GRE tunnel endpoints send payloads through GRE tunnels by routing encapsulated packets through intervening IP networks.

In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks. Advantages of GRE tunnels include the following:

  • GRE tunnels encase multiple protocols (IPX) over a single-protocol backbone.
  • GRE tunnels provide workarounds for networks with limited hops.
  • GRE tunnels connect discontinuous sub-networks.
  • GRE tunnels allow VPNs across wide area networks (WANs).

Related – GRE over IPsec vs IPsec over GRE

What is IPSec?

The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

The IP Security (IPsec) Protocol is a standards-based method of providing privacy, integrity, and authenticity to information transferred across IP networks. IPsec provides IP network-layer encryption. IPsec lengthens the IP packet by adding at least one IP header (tunnel mode). The added header(s) varies in length depending the IPsec configuration mode but they do not exceed ~58 bytes (Encapsulating Security Payload (ESP) and ESP authentication (ESPauth)) per packet.

IPsec has two modes, tunnel mode and transport mode.

  • Tunnel mode is the default mode. With tunnel mode, the entire original IP packet is protected (encrypted, authenticated, or both) and encapsulated by the IPsec headers and trailers. Then a new IP header is prepended to the packet, specifying the IPsec endpoints (peers) as the source and destination. Tunnel mode can be used with any unicast IP traffic and must be used if IPsec is protecting traffic from hosts behind the IPsec peers. For example, tunnel mode is used with Virtual Private Networks (VPNs) where hosts on one protected network send packets to hosts on a different protected network via a pair of IPsec peers. With VPNs, the IPsec “tunnel” protects the IP traffic between hosts by encrypting this traffic between the IPsec peer routers.
  • Transport mode (configured with the subcommand, mode transport, on the transform definition), only the payload of the original IP packet is protected (encrypted, authenticated, or both). The payload is encapsulated by the IPsec headers and trailers. The original IP headers remain intact, except that the IP protocol field is changed to be ESP (50), and the original protocol value is saved in the IPsec trailer to be restored when the packet is decrypted. Transport mode is used only when the IP traffic to be protected is between the IPsec peers themselves, the source and destination IP addresses on the packet are the same as the IPsec peer addresses. Normally IPsec transport mode is only used when another tunnelling protocol (like GRE) is used to first encapsulate the IP data packet, then IPsec is used to protect the GRE tunnel packets.

GRE vs IPSec : Comparison Table

A table below details on how GRE and IPSec differ in their approach and parameters though both are leveraged for used for point to point communication across locations.

PARAMETERGREIPSec
Full Form
Generic Routing Encapsulation
IP Security
Purpose
GRE is a protocol that encapsulates packets in order to route other protocols over IP networks.
The IP Security (IPsec) Protocol is a standards-based method of providing privacy, integrity, and authenticity to information transferred across IP networks.
Usage
GRE is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.
IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.
Modes
Single mode – GRE Tunnel
Two Modes – Tunnel Mode and Transport Mode
Privacy, integrity and authenticity of information
Not Supported
Supported
Encapsulation
Encapsulation of Payload
Tunnel Mode – Entire packet is encapsulated
Transport Mode – Only payload is protected.
Standard
GRE is defined in RFC 2784 standard
IPSEC ESP is defined in RFC2406
Protocol & Port
GRE use IP Protocol number 47
IPSec uses ESP (IP protocol number 50) and AH (IP Protocol number 51). In addition IPSec uses IKE for negotiations (UDP Port number 500).
IP Header
4 Bytes additional IP Header
Additional bytes not used.
Multicast , Routing Protocol and Routed protocol support
Supported
Not Supported
Simplicity
Simpler and faster
Complex

Download the comparison table here.

Related- IPSEC vs SSL

ABOUT THE AUTHOR


Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart