What is GRE and how does it differ from IP-in-IP?

In this article we will explain what GRE and IP-in IP tunnels and how they differ from one another.

TL;DR: - IP-in-IP will use very slightly less bandwidth - GRE is industry standard - GRE supports additional features (but that are mostly irrelevant to our customers)

What is Generic Routing Encapsulation (GRE)?

Generic Routing Encapsulation (GRE) is a simple protocol for encapsulating internet packets to route protocols over IP networks as defined by RFC 2784. It has been developed as a tool for conveying a tunneling OSI Layer 3 protocol over an IP network. In essence, the GRE creates a defines a point-to-point private tunnel like a virtual private network (VPN) only it is stateless unlike a VPN (increased reliability).

Generic Routing Encapsulation works by encapsulating a payload - that is, an internal packet to be delivered to a destination network - within an outer IP packet. GRE tunnel endpoints send payloads into GRE tunnels for routing packets to other IP networks. Other IP routers along the path do not analyze the payload (the inner packet); they analyze the external IP packet as they send to the end of the GRE tunnel. After reaching the end point GRE tunnel encapsulation is removed and the payload is transmitted along its final destination.

In contrast to IP-in-IP, GRE tunnels have the following advantages:

  • GRE tunnels wrap multiple protocols on a single backbone protocol.
  • GRE tunnels provide solutions for networks with limited hops.
  • GRE tunnels connecting discontinuous subnets.
  • GRE tunnels can be used to create VPNs over Wide Area Networks (WAN) forming virtual proviate networks
  • Better support on devices and systems that miss-interoperate IP-in-IP packets or are unable to forward them.
  • When using the optional tunnel identifier field can support up to 64K tunnels between two unique endpoints (IPv4 pairs)
  • An optional checksum field can be utilized for integrity checking of the contained packet
  • An optional sequence field for ensuring order of received packets is maintained over the tunnel, this may be useful for some UDP applications.

GRE is commonly used to create virtual private networks (VPNs) between different networks. It is also used to connect remote sites over the internet, allowing them to communicate as if they were on the same local network. Additionally, GRE can be used to tunnel multicast traffic, which is useful in situations where multicast is not supported on the underlying network.

Security

The additional key field that is available in the GRE protocol can be used to provide additional tunnel authentication which increases security by increasing key-space which the 32-bit source address represents.

What is IP-in-IP?

IP-in-IP is an even simpler encapsulating protocol, using this technique IP packets are encapsulated only in an additional IP header. So unlike GRE tunnels an IP-in-IP tunnel cannot carry multicast traffic, other protocols or IPv6 between networks.

In contrast to GRE tunnels, IP-in-IP tunnels have the following advantages:

  • Lower overhead due to less layers encapsulated
  • Use of IP packets for encapsulation can allow for support (e.g. forwarding) on devices not supporting the GRE protocol
  • Supports a single tunnel between two endpoints.

IP-in-IP is often used for simple and low-overhead tunneling between networks. It is also used for situations where the underlying network only supports IP traffic, and does not support other protocols like GRE. In this case, IP-in-IP can be used to encapsulate non-IP protocols and transport them over the IP network. It is also used in some Mobile IP protocols and in some VPN software, such as OpenVPN.

In modern times IP-in-IP has decreased in popularity as the overheads of GRE are minimal at best. However, there remains niche applications where IP-in-IP remains in use. However, it's worth noting that both protocols have some disadvantages. For example, GRE is vulnerable to man-in-the-middle attacks and IP-in-IP is less efficient than GRE.

Platform Support

Both protocols are supported natively on Linux and BSD via iproute2. Windows does not support either natively, however with the aid of a Windows tunnel client (available to all customers) our customers are able to use either.

Conclusion

Unless you are encapsulating non-IP protocols, such as routing protocols or protocols used for research purposes, IP-in-IP encapsulation is often a suitable protocol at a lower overhead to GRE. However, GRE has slightly better security. Given that the overhead difference is minor, we would recommend that if you can you use GRE instead of IP-in-IP encapsulation.

It could be also useful to include a section about configuring GRE and IP-in-IP tunnels on different platforms, including the commands and procedures for setting up these tunnels on Linux, BSD, and Windows. This would provide a more comprehensive guide on how to implement these protocols in real-world scenarios.