Is GRE secure?

Services
- Infrastructure
  - iColocation
- Compute
  - cMetal
- Storage
  - sObject
  - sBlock
- Networking
- Protection
  - pBackup
  - pDDoS
Solutions
- Ecommerce
- Security
- Gaming
- Hosting
- Management
- Finance
- System Integrator
Dashboard

Psychz - Savita

Votes: 0Posted On: Sep 26, 2019 12:38:00

Generic Routing Encapsulation (GRE) is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers. However, they are not secure, does not provide encryption. With GRE we can configure a virtual tunnel between two endpoints. Generic Routing Encapsulation (GRE) was primarily designed to send multicast over a non-multicast enabled cloud. Normally without having GRE, it is not easy to send routing information between 2 segments separated by the internet. So with GRE, 2 branches can be merged into one routing domain using GRE tunnels between the branch gateways. With the encapsulation, you are converting any multicast packet into a unicast with the GRE endpoints as headers.

Now, for a private cloud, just plain GRE can be used as it is secured. But, with IPsec, you can add encryption to securely send it across a public cloud. The IP Security (IPsec) Encapsulating Security Payload (ESP), encapsulates IP packets to secure the payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

Here's an example of how IPsec works. In a regular VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A" it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.

So, to sum it up, use GRE where IP tunneling without privacy is required -- it's simpler and thus faster. But, use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.