Secure Socket Tunneling Protocol (SSTP) is a form of

virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...

(VPN) tunnel that provides a mechanism to transport PPP traffic through an

SSL/TLS Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...

channel. SSL/TLS provides transport-level security with key negotiation,

encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...

and traffic integrity checking. The use of SSL/TLS over TCP port 443 (by default, port can be changed) allows SSTP to pass through virtually all firewalls and

proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a request ...

s except for authenticated web proxies. SSTP servers must be

authenticated Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...

during the SSL/TLS phase. SSTP clients can optionally be authenticated during the SSL/TLS phase and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as

EAP-TLS Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in , which made obsolete, and is updated by . EAP is an authentication framework for providing the transport ...

and

MS-CHAP MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MS-CHAPv2 was introduced with pptp3-fix that was in ...

. SSTP is available for

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...

BSD The Berkeley Software Distribution or Berkeley Standard Distribution (BSD) is a discontinued operating system based on Research Unix, developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berk ...

, and

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

. SSTP is available on

Windows Vista SP1 Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...

and later, in RouterOS since version 5.0, and in

SEIL Seil (; gd, Saoil, ) is one of the Slate Islands, located on the east side of the Firth of Lorn, southwest of Oban, in Scotland. Seil has been linked to the mainland by bridge since the late 18th century. The origins of the island's name are ...

since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with

Winlogon In computing, Winlogon (Windows Logon) is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, and optionally locking the computer when a screens ...

smart-card A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...

authentication, remote-access policies and the Windows VPN client. The protocol is also used by

Windows Azure Microsoft Azure, often referred to as Azure ( , ), is a cloud computing platform operated by Microsoft for application management via around the world-distributed data centers. Microsoft Azure has multiple capabilities such as software as a ...

for Point-to-Site Virtual Network. SSTP is intended only for remote client access, it generally does not support site-to-site VPN tunnels. SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem". SSTP supports user authentication only; it does not support device authentication or computer authentication.

Packet structure

The following header structure is common to all types of SSTP packets: * Version (8 bits) – communicates and negotiates the version of SSTP that is used. * Reserved (7 bits) – reserved for future use. * C (1 bit) – control bit indicating whether the SSTP packet represents an SSTP control packet or an SSTP data packet. This bit is set if the SSTP packet is a control packet. * Length (16 bits) – packet length field, composed of two values: a Reserved portion and a Length portion. :* Reserved (4 bits) – reserved for future use. :* Length (12 bits) – contains the length of the entire SSTP packet, including the SSTP header. * Data (variable) – when control bit C is set, this field contains an SSTP control message. Otherwise, the data field would contain a higher-level protocol. At the moment, this can only be PPP.

Control message

The data field of the SSTP header contains an SSTP control message only when the header's Control bit C is set. * Message type (16 bits) – specifies the type of SSTP control message being communicated. This dictates the number and types of attributes that can be carried in the SSTP control packet. * Attributes count (16 bits) – specifies the number of attributes appended to the SSTP control message. * Attributes (variable) – contains a list of attributes associated with the SSTP control message. The number of attributes is specified by the Attributes count field.

References

External links

[MS-SSTP
_Secure_Socket_Tunneling_Protocol_(SSTP).html" ;"title="S-SSTP"> S-SSTP">[MS-SSTP
_Secure_Socket_Tunneling_Protocol_(SSTP)by_Microsoft_Open_Specification_Promise.html" ;"title="S-SSTP
Secure Socket Tunneling Protocol (SSTP)">S-SSTP">[MS-SSTP
Secure Socket Tunneling Protocol (SSTP)by Microsoft Open Specification Promise">S-SSTP
Secure Socket Tunneling Protocol (SSTP)">S-SSTP">[MS-SSTP
Secure Socket Tunneling Protocol (SSTP)by Microsoft Open Specification Promise
RRAS Technet BlogMicrosoft develops new tunneling protocolHow SSTP based VPN connection worksSSTP Client for Linux
{{VPN Network protocols Tunneling protocols

Packet structure

Control message

See also

References

External links