From Wikipedia, the free encyclopedia

The five-layer TCP/IP model

5. Application layer

DHCP · DNS · FTP · Gopher · HTTP · IMAP4 · IRC · NNTP · XMPP · POP3 · SIP · SMTP · SNMP · SSH · TELNET · RPC · RTCP · RTSP · TLS · SDP · SOAP · GTP · STUN · NTP · (more)

4. Transport layer

TCP · UDP · DCCP · SCTP · RTP · RSVP · IGMP · (more)

3. Network/Internet layer

IP (IPv4 · IPv6) · OSPF · IS-IS · BGP · IPsec · ARP · RARP · RIP · ICMP · ICMPv6 · (more)

2. Data link layer

802.11 (WLAN) · 802.16 · Wi-Fi · WiMAX · ATM · DTM · Token ring · Ethernet · FDDI · Frame Relay · GPRS · EVDO · HSPA · HDLC · PPP · PPTP · L2TP · ISDN · ARCnet · (more)

1. Physical layer

Ethernet physical layer · Modems · PLC · SONET/SDH · G.709 · Optical fiber · Coaxial cable · Twisted pair · (more)

This box: view • talk • edit

A tunneling protocol is a network protocol which encapsulates a payload protocol, acting as a payload protocol. Reasons to tunnel include carrying a payload over an incompatible delivery network, or to provide a secure path through an untrusted network.

Tunneling does not always fit a layered protocol model such as those of OSI or TCP/IP. To understand a particular protocol stack, both the payload and delivery protocol sets must be understood. Protocol encapsulation that is carried out by conventional layered protocols, in accordance with the OSI model or TCP/IP model, for example HTTP over TCP over IP over PPP over a V.92 modem, should not be considered as tunneling.

As an example of network layer over network layer, Generic Routing Encapsulation (GRE), which is a protocol running over IP ( IP Protocol Number 47), often is used to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are compatible, but the payload addresses are incompatible with those of the delivery network.

In contrast, an IP payload might believe it sees a data link layer delivery when it is carried inside the Layer 2 Tunneling Protocol, which appears to the payload mechanism as a protocol of the data link layer. L2TP, however, actually runs over the transport layer using User Datagram Protocol (UDP) over IP. The IP in the delivery protocol could run over any data link protocol from IEEE 802.2 over IEEE 802.3 (i.e., standards-based Ethernet) to the Point-to-Point Protocol (PPP) over a dialup modem link.

Tunneling protocols may use data encryption to transport insecure payload protocols over a public network such as the Internet thereby providing VPN functionality. IPSec has an end-to-end Transport Mode, but also can be operate in a Tunneling Mode through a trusted security gateway.

Contents 1 Common tunneling protocols 2 SSH tunneling 3 Tunneling to circumvent firewall policy 4 See also 5 References 6 External links

Examples of tunneling protocols include:

Datagram-based:

• IPsec
• GRE (Generic Routing Encapsulation) supports multiple protocols and multiplexing
• IP in IP Tunneling ^[1] Lower overhead than GRE and used when only 1 IP stream is to be tunneled
• L2TP (Layer 2 Tunneling Protocol) ^[2]
• MPLS (Multi-Protocol Label Switching)
• GTP (GPRS Tunnelling Protocol)
• PPTP (Point-to-Point Tunneling Protocol) ^[3]
• PPPoE (point-to-point protocol over Ethernet)
• PPPoA (point-to-point protocol over ATM)
• IEEE 802.1Q (Ethernet VLANs)
• DLSw (SNA over IP)
• XOT (X.25 datagrams over TCP)
• IPv6 tunneling: 6to4; 6in4; Teredo
• Anything In Anything (AYIYA; e.g. IPv6 over UDP over IPv4, IPv4 over IPv6, IPv6 over TCP IPv4, etc.)

Stream-based:

• TLS
• SSH
• SOCKS
• HTTP CONNECT command
• Various circuit-level proxy protocols, such as Microsoft Proxy Server's Winsock Redirection Protocol, or WinGate Winsock Redirection Service.

SSH is frequently used to tunnel insecure traffic over the Internet in a secure way. For example, Windows machines can share files using the SMB protocol, which is not encrypted. If you were to mount a Windows filesystem remotely through the Internet, someone snooping on the connection could see your files.

So to mount an SMB file system securely, one can establish an SSH tunnel that routes all SMB traffic to the fileserver inside an SSH-encrypted connection. Even though the SMB traffic itself is insecure, because it travels within an encrypted connection it becomes secure.

Tunneling can also be used to traverse a firewall (firewall policy permitting). In this case, protocols that are normally blocked by the firewall are encapsulated inside a commonly allowed protocol such as HTTP. If the policy on the firewall does not exercise enough control over HTTP requests, this can sometimes be used to circumvent the intended firewall policy.

Another HTTP-based tunneling method uses the HTTP CONNECT method/command. This command tells an HTTP proxy to make a TCP connection to the specified server:port, and relay data back and forth between that connection and the client connection. Therefore, for security reasons, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method to accessing TLS/SSL-based HTTPS services only.

• Tunnel broker
• Virtual private network
• HTTP tunnel (software)

This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed under the GFDL.

1. ^ IP Encapsulation within IP,RFC2003, C. Perkins,October 1996
2. ^ Layer Two Tunneling Protocol "L2TP",RFC 2661, W. Townsley et al.,August 1999
3. ^ Point-to-Point Tunneling Protocol (PPTP),RFC 2637, K. Hamzeh et al.,July 1999

• SSH Tunnels explained by example
• Tunneling SSH from behind an HTTP proxy server
• HOWTO: Set up a Windows SSH server for VNC tunneling