Tunneling protocol


Tunneling protocol

Computer networks use a tunneling protocol when one network protocol (the delivery protocol) encapsulates a different payload protocol. By using tunneling one can (for example) carry a payload over an incompatible delivery-network, or provide a secure path through an untrusted network.

Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. The delivery protocol usually (but not always) operates at a higher level in the model than does the payload protocol, or at the same level.

To understand a particular protocol stack, network engineers must understand both the payload and delivery protocol sets.

As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol running over IP (IP Protocol Number 47), often serves to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are compatible, but the payload addresses are incompatible with those of the delivery network.

In contrast, an IP payload might believe it sees a data link layer delivery when it is carried inside the Layer 2 Tunneling Protocol (L2TP), which appears to the payload mechanism as a protocol of the data link layer. L2TP, however, actually runs over the transport layer using User Datagram Protocol (UDP) over IP. The IP in the delivery protocol could run over any data-link protocol from IEEE 802.2 over IEEE 802.3 (i.e., standards-based Ethernet) to the Point-to-Point Protocol (PPP) over a dialup modem link.

Tunneling protocols may use data encryption to transport insecure payload protocols over a public network (such as the Internet), thereby providing VPN functionality. IPsec has an end-to-end Transport Mode, but can also operate in a tunneling mode through a trusted security gateway.

Contents

Secure shell tunneling

A secure shell (SSH) tunnel consists of an encrypted tunnel created through a SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. For example, Microsoft Windows machines can share files using the Server Message Block (SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish an SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.

To set up an SSH tunnel, one configures an SSH client to forward a specified local port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port need not have the same port number as the remote port.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services — so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH server, they can create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web-server. To access the remote web-server, users would point their browser to the local port at http://localhost/.

Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating an SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server. If an application doesn't support SOCKS, one can use a "socksifier" to redirect the application to the local SOCKS proxy server. Some "socksifiers" support SSH directly, thus avoiding the need for an SSH client.

Tunneling to circumvent firewall policy

Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would normally block, but "wrapped" inside a protocol that the firewall does not block, such as HTTP. If the firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around the intended firewall policy.

Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to a HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows access only to a whitelist of specific authorized servers.

See also

External links


This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Layer 2 Tunneling Protocol — In computer networking, the Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). History and future Published in 1999 as proposed standard RFC 2661, L2TP has its origins primarily in two older …   Wikipedia

  • Layer Two Tunneling Protocol — L2TP im TCP/IP‑Protokollstapel: Anwendung L2TP Transport UDP Internet IP (IPv4, IPv6) Netzzugang Ethernet Token …   Deutsch Wikipedia

  • Layer 2 Tunneling Protocol — L2TP im TCP/IP‑Protokollstapel: Anwendung L2TP Transport UDP Internet IP (IPv4, IPv6) Netzzugang Ethernet Token …   Deutsch Wikipedia

  • Point-to-Point Tunneling Protocol — Das Point to Point Tunneling Protocol (PPTP) ist ein Netzwerkprotokoll, das auf das Internet Protocol aufsetzt und dem Aufbau eines Virtual Private Network (VPN) in einem Rechnernetz dient. Mittels PPTP wird ein VPN geschaffen, indem ein Tunnel… …   Deutsch Wikipedia

  • Point-to-point tunneling protocol — PPTP (Point to point tunneling protocol) est un protocole d encapsulation PPP sur IP conçu par Microsoft, permettant la mise en place de réseaux privés virtuels (VPN) au dessus d un réseau public. Layer 2 Tunneling Protocol (L2TP) et IPsec sont… …   Wikipédia en Français

  • Point-to-point tunneling protocol — The Point to Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. Layer 2 Tunneling Protocol (L2TP) [ [http://www.ietf.org/rfc/rfc2661.txt Layer Two Tunneling Protocol L2TP ] ,RFC 2661, W. Townsley et al. ,August …   Wikipedia

  • GPRS Tunneling Protocol — Das GPRS Tunneling Protocol wird von Mobilfunkbetreibern eingesetzt, um GPRS Pakete innerhalb ihrer Netzinfrastruktur zu transportieren. Vom GPRS Tunneling Protocol gibt es auch Varianten: GPRS Tunneling Protocol* zum Abhören und Mitschneiden von …   Deutsch Wikipedia

  • GPRS Tunneling Protocol' — Das GPRS Tunneling Protocol wird von Mobilfunkbetreibern eingesetzt, um GPRS Pakete innerhalb ihrer Netzinfrastruktur zu transportieren. Vom GPRS Tunneling Protocol gibt es auch Varianten: GPRS Tunneling Protocol* zum Abhören und Mitschneiden von …   Deutsch Wikipedia

  • GPRS Tunneling Protocol* — Das GPRS Tunneling Protocol wird von Mobilfunkbetreibern eingesetzt, um GPRS Pakete innerhalb ihrer Netzinfrastruktur zu transportieren. Vom GPRS Tunneling Protocol gibt es auch Varianten: GPRS Tunneling Protocol* zum Abhören und Mitschneiden von …   Deutsch Wikipedia

  • Layer 2 tunneling protocol — (L2TP) signifie protocole de tunnellisation de niveau 2. Il s agit d un protocole réseau utilisé pour créer des Virtual Private Networks (VPN), le plus souvent entre un opérateur de collecte de trafic (dégroupeur ADSL ou opérateur de téléphonie… …   Wikipédia en Français


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.