Secure Socket Tunneling Protocol

Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP or L2TP traffic through an SSL 3.0 channel. SSL provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers.

SSTP servers must be authenticated during the SSL phase. SSTP clients can optionally be authenticated during the SSL phase, and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as EAP-TLS and MS-CHAP.

SSTP is only available in Windows since version Windows Vista SP1, in RouterOS, and in SEIL since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with Winlogon or smart card authentication, remote access policies and the Windows VPN client.^[1]

SSTP is only for remote client access, it does not support site-to-site VPN tunnels.^[2]

SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem" ^[3][4]

Contents 1 Packet Structure 1.1 Header 1.2 Control Message 2 See also 3 References 4 External links

Packet Structure

Header

The following header structure is common to all types of SSTP packets:

SSTP Header

Bit offset	Bits 0–7								8–14							15	16–31
0	Version								Reserved							C	Length
32+	Data

• Version (8 bits) – Communicates and negotiates the version of SSTP that is used.
• Reserved (7 bits) – Reserved for future use.
• C (1 bit) – Control bit indicating whether the SSTP packet represents an SSTP control packet or an SSTP data packet. This bit is set if the SSTP packet is a control packet.
• Length (16 bits) – Packet length field, composed of two values: a Reserved portion and a Length portion.

• Reserved (4 bits) – Reserved for future use.
• Length (12 bits) – Contains the length of the entire SSTP packet, including the SSTP header.

• Data (variable) – When Control bit C is set, this field contains an SSTP control message. Otherwise, the data field would contain a higher level protocol. At the moment, this can only be PPP.

Control Message

The data field of the SSTP header contains an SSTP control message only when the header's Control bit C is set.

SSTP Control Message

Bit offset	Bits 0–15																16–31
0	Message Type																Attributes Count
32+	Attributes

• Message Type (16 bits) – Specifies the type of SSTP control message being communicated. This dictates the number and types of attributes that can be carried in the SSTP control packet.
• Attributes Count (16 bits) – Specifies the number of attributes appended to the SSTP control message.
• Attributes (variable) – Contains a list of attributes associated with the SSTP control message. The number of attributes is specified by the Attributes Count field.

See also

• AuthIP
• L2TP/IPsec
• HTTPS
• OpenVPN
• PPTP

References

External links

• RRAS Technet Blog
• Microsoft develops new tunneling protocol
• How SSTP based VPN connection works
• Configuring SSTP in RouterOS
• SSTP Client implementation for Linux
• SSTP Client implementation for Linux