Tunneling protocol

From Wikipedia, the free encyclopedia

The five-layer TCP/IP model
5. Application layer
DHCP · DNS · FTP · Gopher · HTTP · IMAP4 · IRC · NNTP · XMPP · POP3 · RTP · SIP · SMTP · SNMP · SSH · TELNET · RPC · RTCP · RTSP · TLS (and SSL) · SDP · SOAP · GTP · STUN · NTP · (more)
4. Transport layer
TCP · UDP · DCCP · SCTP · RSVP · ECN · (more)
3. Network/internet layer
IP (IPv4 · IPv6) · OSPF · IS-IS · BGP · IPsec · ARP · RARP · RIP · ICMP · ICMPv6 · IGMP · (more)
2. Data link layer
802.11 (WLAN) · 802.16 · Wi-Fi · WiMAX · ATM · DTM · Token ring · Ethernet · FDDI · Frame Relay · GPRS · EVDO · HSPA · HDLC · PPP · PPTP · L2TP · ISDN · ARCnet · LLTD · (more)
1. Physical layer
Ethernet physical layer · RS-232 · SONET/SDH · G.709 · Optical fiber · Coaxial cable · Twisted pair · (more)
This box: view • talk • edit

The term tunneling protocol is used to describe when one network protocol called the payload protocol is encapsulated within a different delivery protocol. Reasons to use tunnelling include carrying a payload over an incompatible delivery network, or to provide a secure path through an untrusted network.

Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. The tunnel protocol is usually (but not always) at a higher level than the payload protocol, or at the same level. To understand a particular protocol stack, both the payload and delivery protocol sets must be understood. Protocol encapsulation that is carried out by conventional layered protocols, in accordance with the OSI model or TCP/IP model, for example HTTP over TCP over IP over PPP over a V.92 modem, should not be considered as tunneling.

As an example of network layer over network layer, Generic Routing Encapsulation (GRE), which is a protocol running over IP (IP Protocol Number 47), often is used to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are compatible, but the payload addresses are incompatible with those of the delivery network.

In contrast, an IP payload might believe it sees a data link layer delivery when it is carried inside the Layer 2 Tunneling Protocol, which appears to the payload mechanism as a protocol of the data link layer. L2TP, however, actually runs over the transport layer using User Datagram Protocol (UDP) over IP. The IP in the delivery protocol could run over any data link protocol from IEEE 802.2 over IEEE 802.3 (i.e., standards-based Ethernet) to the Point-to-Point Protocol (PPP) over a dialup modem link.

Tunneling protocols may use data encryption to transport insecure payload protocols over a public network such as the Internet thereby providing VPN functionality. IPSec has an end-to-end Transport Mode, but also can be operated in a Tunneling Mode through a trusted security gateway.

Contents 1 Common tunneling protocols 2 SSH tunneling 3 Tunneling to circumvent firewall policy 4 See also 5 References 6 External links

[edit] Common tunneling protocols

Examples of tunneling protocols include:

Datagram-based:

• IPsec
• GRE (Generic Routing Encapsulation) supports multiple protocols and multiplexing
• IP in IP Tunneling ^[1] Lower overhead than GRE and used when only 1 IP stream is to be tunneled
• L2TP (Layer 2 Tunneling Protocol) ^[2]
• MPLS (Multi-Protocol Label Switching)
• GTP (GPRS Tunnelling Protocol)
• PPTP (Point-to-Point Tunneling Protocol) ^[3]
• PPPoE (point-to-point protocol over Ethernet)
• PPPoA (point-to-point protocol over ATM)
• IEEE 802.1Q (Ethernet VLANs)
• DLSw (SNA over IP)
• XOT (X.25 datagrams over TCP)
• IPv6 tunneling: 6to4; 6in4; Teredo
• Anything In Anything (AYIYA; e.g. IPv6 over UDP over IPv4, IPv4 over IPv6, IPv6 over TCP IPv4, etc.)

Stream-based:

• TLS
• SSH
• SOCKS
• HTTP CONNECT command
• Various circuit-level proxy protocols, such as Microsoft Proxy Server's Winsock Redirection Protocol, or WinGate Winsock Redirection Service.

[edit] SSH tunneling

An SSH tunnel (sometimes referred to as a VPN) is an encrypted network tunnel created through an SSH connection. SSH is frequently used to tunnel insecure traffic over the Internet in a secure way. For example, Windows machines can share files using the SMB protocol, which is not encrypted. If you were to mount a Windows filesystem remotely through the Internet, someone snooping on the connection could see your files. To mount an SMB file system securely, one can establish an SSH tunnel that routes all SMB traffic to the fileserver inside an SSH-encrypted connection. Even though the SMB traffic itself is insecure, because it travels within an encrypted connection it becomes secure.

In order to create an SSH tunnel, the SSH client is configured to forward a specified remote port and IP address (that is accessible on the SSH server) to a port on the local machine. Once the SSH connection has been established, the user can connect to the specified local port to access the network services that would otherwise be available only at the remote IP address and port.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services provided that outgoing connections on port 22 are allowed. For example, many institutions prohibit users from accessing Internet web pages (port 80) directly without first being examined by a proxy/filter device. However, if users are able to connect to an external SSH server, it is possible for them to create an ssh tunnel to forward port 80 on an external web server to a given port (probably port 80) on their local machine, and thus access that web page by typing http://localhost in their browser.

More commonly, users may set up their own proxy server at home, using free software such as Squid, and construct a tunnel from their workstation to the proxy. Next, by configuring their browser to use localhost rather than the corporate proxy server, users can access any web page they want, bypassing their company's filters and firewalls.

Another method is to use dynamic port forwarding, which creates a local SOCKS 4/5 proxy server that a user can connect to, effectively creating an encrypted tunnel to the remote SSH server. The user can then configure his/her applications to use the SOCKS proxy server, usually for bypassing filters and firewalls.

[edit] Tunneling to circumvent firewall policy

Tunneling can also be used to traverse a firewall (firewall policy permitting). In this case, protocols that are normally blocked by the firewall are encapsulated inside a commonly allowed protocol such as HTTP. If the policy on the firewall does not exercise enough control over HTTP requests, this can sometimes be used to circumvent the intended firewall policy.

Another HTTP-based tunneling method uses the HTTP CONNECT method/command. This command tells an HTTP proxy to make a TCP connection to the specified server:port, and relay data back and forth between that connection and the client connection. Therefore, for security reasons, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method to accessing TLS/SSL-based HTTPS services only.

[edit] See also

• Tunnel broker
• Virtual private network
• HTTP tunnel (software)

[edit] References

This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.

1. ^ IP Encapsulation within IP,RFC2003, C. Perkins,October 1996
2. ^ Layer Two Tunneling Protocol "L2TP",RFC 2661, W. Townsley et al.,August 1999
3. ^ Point-to-Point Tunneling Protocol (PPTP),RFC 2637, K. Hamzeh et al.,July 1999

[edit] External links

• SSH Tunnels explained by example
• HOWTO: Set up a Windows SSH server for VNC tunneling