What is Generic Routing Encapsulation (GRE)?
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route various protocols over Internet Protocol (IP) networks. GRE is defined by Internet RFC 2784. GRE was developed as a tunneling tool meant to carry any OSI Layer 3 network protocol over an IP network. In essence, GRE creates a private point-to-point connection like that of a virtual private network (VPN).
The GRE protocol involves encapsulating or wrapping data packets within other data packets. Doing so creates a tunnel (also known as a GRE tunnel) between two routers and establishes a direct or point-to-point connection between separate IP networks or protocols. Such tunneling of packets simplifies the connections between those networks.
Suppose a connection is to be set up between two networks or LANs. Assume that one network uses the IPv6 protocol while the other supports the older IPv4 protocol. Without GRE, the two networks would be unable to communicate with each other due to their protocol differences. But with GRE, the IPv6 packets are encapsulated within the IPv4 packets, allowing the IPv6 packets to pass through the IPv4 network.
Why use Generic Routing Encapsulation?
GRE tunneling can be used when there is a need to set up a direct or point-to-point connection between two networks or protocols, such as in an enterprise where different business units or departments are supported by different networks. Encapsulating packets and creating a GRE tunnel allows routers in two networks to operate as if they have a direct connection, allowing packets to move between them that would not be able to do otherwise.
How does Generic Routing Encapsulation work?
GRE works by encapsulating a payload -- an inner packet that needs to be delivered to a destination network -- inside an outer IP packet. GRE tunnel endpoints send payloads through GRE tunnels by routing encapsulated packets through intervening IP networks. Other IP routers along the way do not parse the payload (the inner packet); they only parse the outer IP packet as they forward it toward the GRE tunnel endpoint. Upon reaching the tunnel endpoint, GRE encapsulation is removed, and the payload is forwarded to its ultimate destination.
Encapsulation is done to create a GRE tunnel between two specific routers at either end of the tunnel. This means that only those routers can send and receive the GRE packets. The router at the sending end encrypts the GRE header and the router at the receiving end decrypts it. Along the way, the encapsulated packet travels through the GRE tunnel in encrypted form and then emerges from the receiving router as the original packet. The receiving router then removes the encapsulation and forwards the inner packet to its final destination on its network.
The other non-GRE-configured routers between the two GRE-configured routers will simply forward the encapsulated packet by referencing the headers surrounding them. They will not decrypt or open the packets; this is the job of the receiving GRE-configured router.
Generic Routing Encapsulation packets and headers
In any network, a packet refers to a unit of data that moves from a source to a destination. All packets consist of a payload and control information. The payload contains the user data (actual information) while the control information includes elements like source and destination addresses and sending sequence. The control information is placed in the packet header, with one header attached to each packet.
Before a GRE tunnel is created, the original or outer packet has an IP header (20 bytes). Creating the tunnel means creating a GRE packet that now has two IP headers. The IP header for the original packet remains intact. When the tunnel is created, the protocol adds a new GRE header (4 bytes), which indicates the type of protocol that will be used by the encapsulated packet. The GRE header also includes information such as the packet's source and destination addresses, sequence number and protocol identifier.
Once both headers are created, the encapsulated packet can travel from the source router to the destination router. The end router will decapsulate the packet and use the header information to route the packet to its destination.
Features of Generic Routing Encapsulation
The main feature of the GRE protocol is its ability to wrap one data packet inside another packet, allowing packets to travel between two otherwise-incompatible protocols or networks. Versatility is another feature of GRE. The protocol can work with numerous Layer 3 protocols, including IP, IPX and DECnet. As a result, one GRE tunnel can carry different types of traffic and route packets to their ultimate destination.
GRE tunnels are stateless, meaning the tunnel endpoints (routers) do not keep any information about the receiving router, including its state and availability. As a result, the source router does not have the ability to change the state of the tunnel interface or bring down its line protocol if the receiving router is unreachable.
Advantages and disadvantages of Generic Routing Encapsulation
Creating a GRE tunnel enables the use of protocols that are not supported by a network, thus enabling connectivity between networks and sub-networks. Further, the protocol is highly reliable because adding a GRE header to a packet ensures that it will reach its destination.
In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks. Further, GRE provides a stateless private connection so the tunnel interface will remain active even if the end of the tunnel is unreachable.
Other advantages of GRE tunnels include the following:
- GRE tunnels encase multiple protocols over a single-protocol backbone.
- GRE tunnels provide workarounds for networks with limited hops.
- GRE tunnels connect discontinuous sub-networks.
- GRE tunnels allow VPNs to operate across wide area networks.
The chief disadvantage of GRE is that it is not considered a secure protocol because it doesn't use encryption like the IP Security (IPsec) Encapsulating Security Payload, defined by RFC 2406. As a result, GRE tunnels can be used to launch DDoS attacks. Cyber attackers can build a botnet, control it via GRE, and then use it to jam a network with junk traffic, making the network inaccessible for legitimate users. This risk can be minimized by configuring authentication and encryption mechanisms on the GRE tunnels.