IPas grown quite a bit in the past few decade. We’ve gone from having several highly used layer 3 protocols, to pretty much surrounding the Enterprise network with IP.
IPv4 Header and Its Options
The Internet Protocol version I will focus on here is version 4 (IPv4). In IPv4, we have a 20 byte header, with a max of 60 bytes when using IP options. IP options are extensions to the IP protocol that never really gained popularity for many reasons. One of those reasons is the fact that IP options required packets being punted to the CPU.
Another major reason is that IP option processing was, well, optional. Devices could turn this off, and a lot did. Most Cisco devices today actually do not turn off IP options by default, as a few are needed for things like Multicast.
The majority of the IP options available for IPv4 are also a security issue, things like loose or strict source routing – where the client chooses the hops the packet traverses are terrible things for a security administrator. With regards to IP options, just know they exist, but the majority are not in use today.
Fun fact, IP options did carry over into IPv6 however, they are called extensions now.
IP in IP
Today IP is so flexible because we’ve really extended the use cases for it. We have technologies like IP in IP, where you have 40 bytes total of IP header to tunnel packets between 2 endpoints.
Then you have GRE, which was the same concept, except we add the following to the Layer 3 header: IP header (20 bytes), a GRE header (4 bytes) and sometimes a GRE key (another 4 bytes). Note that the GRE key is very rare, mostly used in DMVPN when you’re terminating multiple tunnels. Also, GRE gave us the ability to transport Multicast to really start creating overlay networks.
GRE over IPSEC (over IP)
Then you have GRE over IPSEC over IP, which was the same concept as GRE except it was encrypted with IPSEC. We secured the GRE tunnel endpoints, and inherently, we’ve secured the GRE payload as well. This was the birth concept for DMVPN today. GRE over IPSEC is heavy, in terms of bytes, you have IP (20 bytes), GRE (4 bytes), sometimes a GRE tunnel key (4 bytes), and then wrapped in ESP (variable length) and another IP header (20 bytes).
IP in IP over IPSEC (VTI)
Then of course, we finally got what we always wanted, VTI. Or Routed tunnel interfaces. These used IP in IP encapsulation, encrypted with IPSEC. This has all the benefits of GRE over IPSEC, without all the extra headers that sometimes come with it. VTI overhead is sometimes HALF of what GRE over IPSEC is, which is quite a bit of savings when you think about how much data goes over technologies like DMVPN.