Effective CISSP Questions

A tunnel is a logical link or point-to-point connection, established through tunneling protocols, that encapsulates payloads between two nodes over a public or shared network. Still, other security services or protocols protect data transmitted through the tunnel. Which of the following is not a tunneling protocol? (Wentz QOTD)
A. Virtual Extensible LAN (VXLAN)
B. Layer 2 Forwarding Protocol (L2F)
C. Generic Routing Encapsulation (GRE)
D. Encapsulating Security Payload (ESP)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is N/A (Not Available).

All the options are tunneling protocols. At first, I was writing this question in the context of VPN considering tunneling, authentication, and encryption. Later, I turned to a more generic perspective without reviewing options, so my suggested answer becomes “N/A (Not available).”

Common Tunneling Protocols

The following are common tunneling protocols:

  • GRE (Protocol 47): Generic Routing Encapsulation
  • SSTP (TCP port 443): Secure Socket Tunneling Protocol
  • IPSec (Protocol 50/ESP and 51/AH): Internet Protocol Security
  • L2TP (Protocol 115): Layer 2 Tunneling Protocol
  • VXLAN (UDP port 4789): Virtual Extensible Local Area Network

Encapsulating Security Payload (ESP)

Encapsulating Security Payload (ESP), IP protocol number 50, is a member of the IPsec protocol suite. It can be implemented in a host-to-host transport mode, as well as in a site-to-site tunnel mode:

  • In transport mode, only the payload of the IP packet is encrypted or authenticated, usually used when another tunneling protocol (such as GRE, L2TP) is used to first encapsulate the IP data packet, then ESP is used to protect the tunnel packets. (juniper)
  • In tunnel mode, the entire IP packet is encrypted and authenticated.

Layer 2 Forwarding Protocol (L2F)

L2F, or Layer 2 Forwarding, is a tunneling protocol developed by Cisco Systems, Inc. to establish virtual private network connections over the Internet. L2F does not provide encryption or confidentiality by itself; It relies on the protocol being tunneled to provide privacy. L2F was specifically designed to tunnel Point-to-Point Protocol (PPP) traffic.

Source: Wikipedia

Point-to-Point Tunneling Protocol (PPTP)

The Point-to-Point Tunneling Protocol (PPTP), primarily supported by Microsoft, is an obsolete method for implementing virtual private networks (VPN) because of many well-known security issues.

  • PPTP uses a TCP control channel and a Generic Routing Encapsulation tunnel to encapsulate Point-to-Point Protocol (PPP) packets.
  • The PPTP specification does not describe encryption, which is supported by Microsoft Point-to-Point Encryption (MPPE).

VXLAN Problem Statement

The current VLAN has a limited number of 4094, which cannot meet the requirements of data centers or cloud computing with a common feature where networks are isolated based on tenants. For example, Azure or AWS has far more customers than 4094.

VXLAN (RFC 7348) is designed to solve the following issues:

  1. Limitations Imposed by Spanning Tree and VLAN Ranges
  2. Multi-tenant Environments
  3. Inadequate Table Sizes at ToR (Top-of-Rack) Switch

VXLAN encapsulates the traditional VLAN frame as an IP payload or MAC-over-IP to support communication between spine switches and leaf switches. The leaf-spine architecture employs a two-layer network topology composed of leaf switches and spine switches.

Underlay networks or so-called Physical networks where traditional protocols are working. Underlay Network is physical infrastructure above which overlay network is built. It is the underlying network responsible for delivery of packets across networks.

* Underlay Protocols: BGP, OSPF, IS-IS, EIGRP

An overlay network is a virtual network which is routed on top of underlay network infrastructure, routing decision would take place with the help of software.

* Overlay Protocols: VXLAN, NVGRE, GRE, OTV, OMP, mVPN

Overlay networking is a method of using software to create layers of network abstraction that can be used to run multiple separate, discrete virtualized network layers on top of the physical network, often providing new applications or security benefits.

Source: Underlay Network and Overlay Network



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

隧道(tunnel)是通過隧道協議(tunneling protocol)建立的邏輯鏈路(logical link)或點對點連接,它封裝了公共網絡上兩個節點之間的封包資料(payload)。 儘管如此,通過隧道傳輸的數據仍須透過其它安全服務或協議進行保護。 以下哪項不是隧道協議?(Wentz QOTD)
A. Virtual Extensible LAN (VXLAN)
B. Layer 2 Forwarding Protocol (L2F)
C. Generic Routing Encapsulation (GRE)
D. Encapsulating Security Payload (ESP)

Leave a Reply