Tunneling protocol
From Wikipedia, the free encyclopedia
The term tunneling protocol is used to describe when one network protocol called the payload protocol is encapsulated within a different delivery protocol. Reasons to use tunneling include carrying a payload over an incompatible delivery network, or to provide a secure path through an untrusted network.
Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. The tunnel protocol is usually (but not always) at a higher level than the payload protocol, or at the same level. To understand a particular protocol stack, both the payload and delivery protocol sets must be understood. Protocol encapsulation that is carried out by conventional layered protocols, in accordance with the OSI model or TCP/IP model, for example HTTP over TCP over IP over PPP over a V.92 modem, should not be considered as tunneling.
As an example of network layer over network layer, Generic Routing Encapsulation (GRE), which is a protocol running over IP (IP Protocol Number 47), often is used to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are compatible, but the payload addresses are incompatible with those of the delivery network.
In contrast, an IP payload might believe it sees a data link layer delivery when it is carried inside the Layer 2 Tunneling Protocol (L2TP), which appears to the payload mechanism as a protocol of the data link layer. L2TP, however, actually runs over the transport layer using User Datagram Protocol (UDP) over IP. The IP in the delivery protocol could run over any data link protocol from IEEE 802.2 over IEEE 802.3 (i.e., standards-based Ethernet) to the Point-to-Point Protocol (PPP) over a dialup modem link.
Tunneling protocols may use data encryption to transport insecure payload protocols over a public network such as the Internet thereby providing VPN functionality. IPSec has an end-to-end Transport Mode, but also can be operated in a Tunneling Mode through a trusted security gateway.
The Internet Protocol Suite | |
Application Layer | |
---|---|
BGP · DHCP · DNS · FTP · GTP · HTTP · IMAP · IRC · Megaco · MGCP · NNTP · NTP · POP · RIP · RPC · RTP · RTSP · SDP · SIP · SMTP · SNMP · SOAP · SSH · Telnet · TLS/SSL · XMPP · (more) | |
Transport Layer | |
TCP · UDP · DCCP · SCTP · RSVP · ECN · (more) | |
Internet Layer | |
IP (IPv4, IPv6) · ICMP · ICMPv6 · IGMP · IPsec · (more) | |
Link Layer | |
ARP · RARP · NDP · OSPF · Tunnels (L2TP) · Media Access Control (Ethernet, MPLS, DSL, ISDN, FDDI) · Device Drivers · (more) | |
Contents |
[edit] Common tunneling protocols
Examples of tunneling protocols include:
- Datagram-based:
- GRE (Generic Routing Encapsulation) supports multiple protocols and multiplexing
- IP in IP Tunneling [1] Lower overhead than GRE and used when only 1 IP stream is to be tunneled
- L2TP (Layer 2 Tunneling Protocol) [2]
- MPLS (Multi-Protocol Label Switching)
- GTP (GPRS Tunnelling Protocol)
- PPTP (Point-to-Point Tunneling Protocol) [3]
- PPPoE (point-to-point protocol over Ethernet)
- PPPoA (point-to-point protocol over ATM)
- IEEE 802.1Q (Ethernet VLANs)
- DLSw (SNA over IP)
- XOT (X.25 datagrams over TCP)
- IPv6 tunneling: 6to4; 6in4; Teredo
- Anything In Anything (AYIYA; e.g. IPv6 over UDP over IPv4, IPv4 over IPv6, IPv6 over TCP IPv4, etc.)
- Stream-based:
- SSH
- SOCKS
- HTTP CONNECT command
- Various circuit-level proxy protocols, such as Microsoft Proxy Server's Winsock Redirection Protocol, or WinGate Winsock Redirection Service
[edit] SSH tunneling
An SSH tunnel is an encrypted tunnel created through an SSH protocol connection. SSH tunnels may be used to tunnel unencrypted traffic over a network through an encrypted channel. For example, Windows machines can share files using the SMB protocol, which is not encrypted. If you were to mount a Windows filesystem remotely through the Internet, someone snooping on the connection could see your files. To mount the Windows filesystem securely, you can establish an SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself is unencrypted it is secure because it travels through the encrypted SSH channel.
To create an SSH tunnel, an SSH client is configured to forward a specified local port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port need not be the same as the remote port.
SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services provided that outgoing connections are allowed. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter which provides the organization a means of monitoring and controlling what the user sees through the web. The user may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If a user is able to connect to an external SSH server, it is possible for them to create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server the user would point their browser to http://localhost/.
Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. The user can configure his/her applications to use their local SOCKS proxy server. This is more flexible than creating an SSH tunnel to a single port as previously described. With SOCKS the user is not limited to connecting only to a predefined remote port and server.
[edit] Tunneling to circumvent firewall policy
Tunneling can also be used to "sneak through" a firewall. A protocol that is blocked by the firewall is "wrapped" inside a protocol that is not blocked by the firewall, such as HTTP. If the firewall policy has not been written to exclude this kind of "wrapping", this trick can be used to get around the intended firewall policy.
Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to an HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows access only to TLS/SSL-based HTTPS services.
[edit] See also
[edit] References
- ^ IP Encapsulation within IP,RFC2003, C. Perkins,October 1996
- ^ Layer Two Tunneling Protocol "L2TP",RFC 2661, W. Townsley et al.,August 1999
- ^ Point-to-Point Tunneling Protocol (PPTP),RFC 2637, K. Hamzeh et al.,July 1999
[edit] External links
- SSH Tunnels explained by example
- HOWTO: Set up a Windows SSH server for VNC tunneling
- SSH port forwarding and tunneling explained in detail.
- SSH tunneling to anonymous proxy (Indonesian Version).
- SSH tunneling used to lower latency/ping times in World of Warcraft through SmoothPing.com.
This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.