In
computer network
A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
s, a tunneling protocol is a
communication protocol
A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any kind of variation of a physical quantity. The protocol defines the rules, syntax, semantics (computer scien ...
which allows for the movement of data from one network to another. It involves allowing
private network
In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 ...
communications to be sent across a public network (such as the
Internet
The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
) through a process called
encapsulation.
Because tunneling involves repackaging the traffic data into a different form, perhaps with
encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
as standard, it can hide the nature of the traffic that is run through a tunnel.
The tunneling protocol works by using the data portion of a
packet
Packet may refer to:
* A small container or pouch
** Packet (container), a small single use container
** Cigarette packet
** Sugar packet
* Network packet, a formatted unit of data carried by a packet-mode computer network
* Packet radio, a form ...
(the
payload
Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...
) to carry the packets that actually provide the service. Tunneling uses a layered protocol model such as those of the
OSI
OSI may refer to:
Places
* Osijek Airport (IATA code: OSI), an airport in Croatia
* Ősi, a village in Veszprém county, Hungary
* Oši, an archaeological site in Semigallia, Latvia
* Osi, a village in Ido-Osi, Ekiti State, Nigeria
* Osi, Ekiti ...
or
TCP/IP
The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...
protocol suite, but usually violates the layering when using the payload to carry a service not normally provided by the network. Typically, the delivery protocol operates at an equal or higher level in the layered model than the payload protocol.
Uses
A tunneling protocol may, for example, allow a foreign protocol to run over a network that does not support that particular protocol, such as running
IPv6
Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...
over
IPv4
Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version de ...
.
Another important use is to provide services that are impractical or unsafe to be offered using only the underlying network services, such as providing a corporate
network address
A network address is an identifier for a node or host on a telecommunications network. Network addresses are designed to be unique identifiers across the network, although some networks allow for local, private addresses, or locally administere ...
to a remote user whose physical network address is not part of the corporate network.
Circumventing firewall policy
Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would normally block, but "wrapped" inside a protocol that the firewall does not block, such as
HTTP
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
. If the firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around the intended firewall policy (or any set of interlocked firewall policies).
Another HTTP-based tunneling method uses the
HTTP CONNECT method/command. A client issues the HTTP CONNECT command to an HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows connections only to specific ports, such as 443 for HTTPS.
Other tunneling methods able to bypass network firewalls make use of different protocols such as
DNS
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
,
[Raman, D., Sutter, B. D., Coppens, B., Volckaert, S., Bosschere, K. D., Danhieux, P., & Buggenhout, E. V. (2012, November). DNS tunneling for network penetration. In International Conference on Information Security and Cryptology (pp. 65-77). Springer, Berlin, Heidelberg.] MQTT
MQTT (originally an initialism of MQ Telemetry Transport) is a lightweight, publish-subscribe, machine to machine network protocol for Message queue/Message queuing service. It is designed for connections with remote locations that have devices ...
,
[Vaccari, I., Narteni, S., Aiello, M., Mongelli, M., & Cambiaso, E. (2021). Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities. IEEE Access, 9, 104261-104280.] SMS
Short Message/Messaging Service, commonly abbreviated as SMS, is a text messaging service component of most telephone, Internet and mobile device systems. It uses standardized communication protocols that let mobile devices exchange short text ...
.
[Narteni, S., Vaccari, I., Mongelli, M., Aiello, M., & Cambiaso, E. (2021). Evaluating the possibility to perpetrate tunnelling attacks exploiting shortmessage-service. Journal of Internet Services and Information Security, 11, 30-46.]
Technical overview
As an example of network layer over network layer,
Generic Routing Encapsulation
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol netw ...
(GRE), a protocol running over IP (
IP protocol number
This is a list of the IP protocol numbers found in the field ''Protocol'' of the IPv4 header and the ''Next Header'' field of the IPv6 header. It is an identifier for the encapsulated protocol and determines the layout of the data that immediately ...
47), often serves to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are the same, but the payload addresses are incompatible with those of the delivery network.
It is also possible to establish a connection using the data link layer. The
Layer 2 Tunneling Protocol In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages (usin ...
(L2TP) allows the transmission of
frames between two nodes. A tunnel is not encrypted by default: the
TCP/IP
The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...
protocol chosen determines the level of security.
SSH
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
SSH applications are based on ...
uses port 22 to enable data encryption of payloads being transmitted over a public network (such as the Internet) connection, thereby providing
VPN
A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
functionality.
IPsec
In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...
has an end-to-end Transport Mode, but can also operate in a tunneling mode through a trusted security gateway.
To understand a particular protocol stack imposed by tunneling, network engineers must understand both the payload and delivery protocol sets.
Common tunneling protocols
*
IP in IP IP in IP is an IP tunneling protocol that encapsulates one IP packet in another IP packet. To encapsulate an IP packet in another IP packet, an outer header is added with Source IP, the entry point of the tunnel, and Destination IP, the exit point ...
(Protocol 4): IP in IPv4/IPv6
* SIT/IPv6 (Protocol 41): IPv6 in IPv4/IPv6
*
GRE
The Graduate Record Examinations (GRE) is a standardized test that is an admissions requirement for many graduate schools in the United States and Canada and a few other countries. The GRE is owned and administered by Educational Testing Servi ...
(Protocol 47): Generic Routing Encapsulation
*
OpenVPN
OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server appl ...
(UDP port 1194)
*
SSTP (TCP port 443): Secure Socket Tunneling Protocol
*
IPSec
In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...
(Protocol 50 and 51): Internet Protocol Security
*
L2TP In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages (using ...
(Protocol 115): Layer 2 Tunneling Protocol
*
VXLAN
Virtual Extensible LAN (VXLAN) is a network virtualization technology that attempts to address the scalability problems associated with large cloud computing deployments. It uses a VLAN-like encapsulation technique to encapsulate OSI layer 2 Eth ...
(UDP port 4789): Virtual Extensible Local Area Network.
*
GENEVE
Geneve may refer to:
* Genève, French for Geneva
, neighboring_municipalities= Carouge, Chêne-Bougeries, Cologny, Lancy, Grand-Saconnex, Pregny-Chambésy, Vernier, Veyrier
, website = https://www.geneve.ch/
Geneva ( ; french: Genève ...
*
WireGuard
Secure Shell tunneling
A ''
Secure Shell
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
SSH applications are based on a ...
(SSH) tunnel'' consists of an encrypted tunnel created through an
SSH protocol connection. Users may set up SSH tunnels to transfer
unencrypted
In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.
Overview
With the advent of comp ...
traffic over a network through an
encrypted
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
channel. It is a software-based approach to network security and the result is transparent encryption.
For example, Microsoft Windows machines can share files using the
Server Message Block
Server Message Block (SMB) is a communication protocol originally developed in 1983 by Barry A. Feigenbaum at IBM and intended to provide shared access to files and printers across nodes on a network of systems running IBM's OS/2. It also provides ...
(SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish a SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.
Once an SSH connection has been established, the tunnel starts with SSH listening to a port on the remote or local host. Any connections to it are forwarded to the specified address and port originating from the opposing (remote or local, as previously) host.
Tunneling a TCP-''encapsulating'' payload (such as
PPP) over a TCP-based connection (such as SSH's port forwarding) is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance (a problem known as "TCP meltdown"), which is why
virtual private network
A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
software may instead use a protocol simpler than TCP for the tunnel connection. However, this is often not a problem when using OpenSSH's port forwarding, because many use cases do not entail TCP-over-TCP tunneling; the meltdown is avoided because the OpenSSH client processes the local, client-side TCP connection in order to get to the actual payload that is being sent, and then sends that payload directly through the tunnel's own TCP connection to the server side, where the OpenSSH server similarly "unwraps" the payload in order to "wrap" it up again for routing to its final destination. Naturally, this wrapping and unwrapping also occurs in the reverse direction of the bidirectional tunnel.
SSH tunnels provide a means to bypass
firewall
Firewall may refer to:
* Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts
* Firewall (construction), a barrier inside a building, designed to limit the spre ...
s that prohibit certain Internet services so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's
proxy filter
In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.
Instead of connecting directly to a server that can fulfill a request ...
(which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH
server
Server may refer to:
Computing
*Server (computing), a computer program or a device that provides functionality for other programs or devices, called clients
Role
* Waiting staff, those who work at a restaurant or a bar attending customers and su ...
, they can create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server, users would point their
browser to the local port at
http://localhost/
Some SSH clients support dynamic
port forwarding
In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a netw ...
that allows the user to create a
SOCKS
A sock is a piece of clothing worn on the feet and often covering the ankle or some part of the calf. Some types of shoes or boots are typically worn over socks. In ancient times, socks were made from leather or matted animal hair. In the late ...
4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating an SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server. If an application doesn't support SOCKS, a proxifier can be used to redirect the application to the local SOCKS proxy server. Some proxifiers, such as Proxycap, support SSH directly, thus avoiding the need for an SSH client.
In recent versions of OpenSSH it is even allowed to create
layer 2 or layer 3 tunnels if both ends have enabled such tunneling capabilities. This creates
tun
(layer 3, default) or
tap
(layer 2) virtual interfaces on both ends of the connection. This allows normal network management and routing to be used, and when used on routers, the traffic for an entire subnetwork can be tunneled. A pair of
tap
virtual interfaces function like an Ethernet cable connecting both ends of the connection and can join kernel bridges.
Cyberattacks based on tunneling
Over the years, tunneling and
data encapsulation in general have been frequently adopted for malicious reasons, in order to maliciously communicate outside of a protected network.
In this context, known tunnels involve protocols such as
HTTP
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
,
SSH
The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
SSH applications are based on ...
,
DNS
The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
,
MQTT
MQTT (originally an initialism of MQ Telemetry Transport) is a lightweight, publish-subscribe, machine to machine network protocol for Message queue/Message queuing service. It is designed for connections with remote locations that have devices ...
.
[Vaccari, I., Narteni, S., Aiello, M., Mongelli, M., & Cambiaso, E. (2021). Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities. IEEE Access, 9, 104261-104280.]
See also
*
GPRS Tunnelling Protocol
GPRS Tunnelling Protocol (GTP) is a group of IP-based communications protocols used to carry general packet radio service (GPRS) within GSM, UMTS, LTE and 5G NR radio networks. In 3GPP architectures, GTP and Proxy Mobile IPv6 based interfa ...
(GTP)
*
HTTP tunnel
*
ICMP tunnel An ICMP tunnel establishes a covert connection between two remote computers (a client and proxy), using ICMP echo requests and reply packets. An example of this technique is tunneling complete TCP traffic over ping requests and replies.
Technica ...
*
NVGRE
Network Virtualization using Generic Routing Encapsulation (NVGRE) is a network virtualization technology that attempts to alleviate the scalability problems associated with large cloud computing deployments. It uses Generic Routing Encapsulation ...
*
OSI model
The Open Systems Interconnection model (OSI model) is a conceptual model that 'provides a common basis for the coordination of SOstandards development for the purpose of systems interconnection'. In the OSI reference model, the communications ...
(Diagram)
*
Pseudo-wire
In computer networking and telecommunications, a pseudowire (or pseudo-wire) is an emulation of a point-to-point connection over a packet-switched network (PSN).
The pseudowire emulates the operation of a "transparent wire" carrying the servic ...
*
Stunnel
*
Tunnel broker
*
Virtual Extensible LAN
Virtual Extensible LAN (VXLAN) is a network virtualization technology that attempts to address the scalability problems associated with large cloud computing deployments. It uses a VLAN-like encapsulation technique to encapsulate OSI layer 2 Ethern ...
(VXLAN)
*
Virtual private network
A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
(VPN)
References
{{Reflist
External links
PortFusiondistributed reverse / forward, local forward proxy and tunneling solution for all TCP protocols
SSH VPN tunnel, see the SSH-BASED VIRTUAL PRIVATE NETWORKS sectionBarbaTunnel Project - Free open source implementation of HTTP-Tunnel and UDP-Tunnel on WindowsVpnHood Project - Free open source implementation of a VPN using socket redirection
Network protocols
Computer security