Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.
For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.
The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.
For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A" it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.
In summary, use GRE where IP tunneling without privacy is required -- it's simpler and thus faster. But, use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.
This question was asked at Ask the Experts on SearchNetworking.com.
About the author: Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in May 2009