Generic Routing Encapsulation (GRE) and IP-in-IP (IPIP) are two rather similar tunneling mechanisms which are often confused. In this article, we'll examine the operation of each, how they differ, and when each should be used.
IPIP
IP-in-IP encapsulation is exactly what it sounds like: one IP packet encapsulated inside another. The protocol fieldof the outer header is set to 4 for IPv4 or 41 for IPv6.
Here's a sample capture of IPv4-in-IPv4, and here's IPv6-in-IPv4. All combinations of IPv4/IPv6 encapsulation are technically possible, though not all may be supported on a given platform. Three IPIP encapsulation methods are possible on IOS: IPv4/IPv4, IPv6/IPv6, and IPv6/IPv4.
Router(config)# interface tun0
Router(config-if)# tunnel mode ?
aurp AURP TunnelTalk AppleTalk encapsulation
cayman Cayman TunnelTalk AppleTalk encapsulation
dvmrp DVMRP multicast tunnel
eon EON compatible CLNS tunnel
gre generic route encapsulation protocol
ipip IP over IP encapsulation
ipsec IPSec tunnel encapsulation
iptalk Apple IPTalk encapsulation
ipv6 Generic packet tunneling in IPv6
ipv6ip IPv6 over IP encapsulation
mpls MPLS encapsulations
nos IP over IP encapsulation (KA9Q/NOS compatible)
rbscp RBSCP in IP tunnel
GRE
GRE (defined in RFC 2784 and updated by RFC 2890) goes a step further than IP-in-IP, adding an additional header of its own between the inside and outside IP headers.
The GRE header is variable in length, from 4 to 16 bytes, depending on which optional features have been enabled.
- C, K, and S: Bit flags which are set to one if the checksum, key, and sequence number fields are present, respectively
- Ver: GRE version number (zero)
- Protocol: Ethertype of the encapsulated protocol
- Checksum: Packet checksum (optional)
- Key: Tunnel key (optional)
- Sequence Number: GRE sequence number (optional)
Here's a sample capture of GRE in action. Note that GRE can theoretically encapsulate any layer three protocol with a valid Ether type, unlike IPIP, which can only encapsulate IP.
GRE can be encapsulated by either IPv4 or IPv6 on IOS. (The multipoint option is used for Dynamic Multipoint VPN (DMVPN).)
Router(config)# interface tun0
Router(config-if)# tunnel mode gre ?
ip over IP
ipv6 over IPv6
multipoint over IP (multipoint)
By default, only a minimal header of four bytes will be included. Additional GRE options can be turned on and off independently of one another:
Router(config-if)# tunnel ?
bandwidth Set tunnel bandwidth informational parameter
checksum enable end to end checksumming of packets
destination destination of tunnel
flow flow options
key security or selector key
mode tunnel encapsulation method
mpls MPLS tunnel commands
path-mtu-discovery Enable Path MTU Discovery on tunnel
protection Enable tunnel protection
rbscp Set tunnel RBSCP parameters
route-via Select subset of routes for tunnel transport
sequence-datagrams drop datagrams arriving out of order
source source of tunnel packets
tos set type of service byte
ttl set time to live
udlr associate tunnel with unidirectional interface
vrf set tunnel vrf membership
To summarize, GRE can:
- Encapsulate any layer three protocol (versus just IP)
- Add an additional checksum (which isn't useful for TCP/IPv4)
- Specify a tunnel key
- Enforce packet sequencing
Of course, these features come at a cost of additional overhead; in cases where the extra capabilities of GRE aren't needed, IPIP will do just fine.
