computer network A computer network is a collection of communicating computers and other devices, such as printers and smart phones. In order to communicate, the computers and devices must be connected by wired media like copper cables, optical fibers, or b ...

s, a tunneling protocol is a

communication protocol A communication protocol is a system of rules that allows two or more entities of a communications system to transmit information via any variation of a physical quantity. The protocol defines the rules, syntax, semantics (computer science), sem ...

which allows for the movement of data from one network to another. They can, for example, allow private network communications to be sent across a public network (such as the

Internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...

), or for one network protocol to be carried over an incompatible network, through a process called encapsulation. Because tunneling involves repackaging the traffic data into a different form, perhaps with

encryption In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...

as standard, it can hide the nature of the traffic that is run through a tunnel. Tunneling protocols work by using the data portion of a packet (the payload) to carry the packets that actually provide the service. Tunneling uses a layered protocol model such as those of the OSI or

TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suite are ...

protocol suite, but usually violates the layering when using the payload to carry a service not normally provided by the network. Typically, the delivery protocol operates at an equal or higher level in the layered model than the payload protocol.

Uses

A tunneling protocol may, for example, allow a foreign protocol to run over a network that does not support that particular protocol, such as running

IPv6 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communication protocol, communications protocol that provides an identification and location system for computers on networks and routes traffic ...

over

IPv4 Internet Protocol version 4 (IPv4) is the first version of the Internet Protocol (IP) as a standalone specification. It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. ...

. Another important use is to provide services that are impractical or unsafe to be offered using only the underlying network services, such as providing a corporate network address to a remote user whose physical network address is not part of the corporate network.

Circumventing firewall policy

Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would normally block, but "wrapped" inside a protocol that the firewall does not block, such as

HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...

. If the firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around the intended firewall policy (or any set of interlocked firewall policies). Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to an HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows connections only to specific ports, such as 443 for HTTPS. Other tunneling methods able to bypass network firewalls make use of different protocols such as DNS,Raman, D., Sutter, B. D., Coppens, B., Volckaert, S., Bosschere, K. D., Danhieux, P., & Buggenhout, E. V. (2012, November). DNS tunneling for network penetration. In International Conference on Information Security and Cryptology (pp. 65-77). Springer, Berlin, Heidelberg. MQTT,Vaccari, I., Narteni, S., Aiello, M., Mongelli, M., & Cambiaso, E. (2021). Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities. IEEE Access, 9, 104261-104280. SMS.Narteni, S., Vaccari, I., Mongelli, M., Aiello, M., & Cambiaso, E. (2021). Evaluating the possibility to perpetrate tunnelling attacks exploiting shortmessage-service. Journal of Internet Services and Information Security, 11, 30-46.

Technical overview

As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol running over IP ( IP protocol number 47), often serves to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are the same, but the payload addresses are incompatible with those of the delivery network. It is also possible to establish a connection using the data link layer. The Layer 2 Tunneling Protocol (L2TP) allows the transmission of frames between two nodes. A tunnel is not encrypted by default: the

protocol chosen determines the level of security. SSH uses port 22 to enable data encryption of payloads being transmitted over a public network (such as the Internet) connection, thereby providing VPN functionality. IPsec has an end-to-end Transport Mode, but can also operate in a tunneling mode through a trusted security gateway. To understand a particular protocol stack imposed by tunneling, network engineers must understand both the payload and delivery protocol sets.

Common tunneling protocols

* IP in IP (IP protocol 4): IP in IPv4/IPv6 * SIT/IPv6 (IP protocol 41): IPv6 in IPv4/IPv6 * GRE (IP protocol 47): Generic Routing Encapsulation * OpenVPN (UDP port 1194) * SSTP (TCP port 443): Secure Socket Tunneling Protocol * IPSec (IP protocols 50 and 51): Internet Protocol Security * L2TP (UDP port 1701): Layer 2 Tunneling Protocol * L2TPv3 (IP protocol 115): Layer 2 Tunneling Protocol version 3 *

VXLAN Virtual eXtensible LAN (VXLAN) is a network virtualization technology that uses a VLAN-like encapsulation technique to encapsulate OSI model, OSI layer 2 Ethernet frames within layer 4 User Datagram Protocol, UDP datagrams, using 4789 as the defau ...

(UDP port 4789): Virtual Extensible Local Area Network * PPTP (TCP port 1723 for control, GRE for data): Point-to-Point Tunneling Protocol *

PPPoE The Point-to-Point Protocol over Ethernet (PPPoE) is a network protocol for Encapsulation (networking), encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It appeared in 1999, in the context of the boom of DSL as the solu ...

(EtherType 0x8863 for control, 0x8864 for data): Point-to-Point Protocol over Ethernet * GENEVE * WireGuard (UDP dynamic port)

TCP meltdown problem

Tunneling a TCP-''encapsulating'' payload (such as PPP) over a TCP-based connection (such as SSH's port forwarding) is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance — known as the ''TCP meltdown problem'' which is why

virtual private network Virtual private network (VPN) is a network architecture for virtually extending a private network (i.e. any computer network which is not the public Internet) across one or multiple other networks which are either untrusted (as they are not con ...

(VPN) software may instead use a protocol simpler than TCP for the tunnel connection. TCP meltdown occurs when a TCP connection is stacked on top of another. The underlying layer may detect a problem and attempt to compensate, and the layer above it then overcompensates because of that, and this overcompensation causes said delays and degraded transmission performance.

Secure Shell tunneling

A ''

Secure Shell The Secure Shell Protocol (SSH Protocol) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH was designed for ...

(SSH) tunnel'' consists of an encrypted tunnel created through an SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. It is a software-based approach to network security and the result is transparent encryption. For example, Microsoft Windows machines can share files using the Server Message Block (SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish a SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security. Once an SSH connection has been established, the tunnel starts with SSH listening to a port on the remote or local host. Any connections to it are forwarded to the specified address and port originating from the opposing (remote or local, as previously) host. The TCP meltdown problem is often not a problem when using OpenSSH's port forwarding, because many use cases do not entail TCP-over-TCP tunneling; the meltdown is avoided because the OpenSSH client processes the local, client-side TCP connection in order to get to the actual payload that is being sent, and then sends that payload directly through the tunnel's own TCP connection to the server side, where the OpenSSH server similarly "unwraps" the payload in order to "wrap" it up again for routing to its final destination. Naturally, this wrapping and unwrapping also occurs in the reverse direction of the bidirectional tunnel. SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH server, they can create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server, users would point their browser to the local port at http://localhost/ Some SSH clients support dynamic port forwarding that allows the user to create a

SOCKS A sock is a piece of clothing worn on the feet and often covering the ankle or some part of the Calf (leg), calf. Some types of shoes or boots are typically worn over socks. In ancient times, socks were made from leather or matted animal hair. ...

4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating an SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server. If an application does not support SOCKS, a proxifier can be used to redirect the application to the local SOCKS proxy server. Some proxifiers, such as Proxycap, support SSH directly, thus avoiding the need for an SSH client. In recent versions of OpenSSH it is even allowed to create layer 2 or layer 3 tunnels if both ends have enabled such tunneling capabilities. This creates tun (layer 3, default) or tap (layer 2) virtual interfaces on both ends of the connection. This allows normal network management and routing to be used, and when used on routers, the traffic for an entire subnetwork can be tunneled. A pair of tap virtual interfaces function like an Ethernet cable connecting both ends of the connection and can join kernel bridges.

Cyberattacks based on tunneling

Over the years, tunneling and data encapsulation in general have been frequently adopted for malicious reasons, in order to maliciously communicate outside of a protected network. In this context, known tunnels involve protocols such as

, SSH, DNS, MQTT.Vaccari, I., Narteni, S., Aiello, M., Mongelli, M., & Cambiaso, E. (2021). Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities. IEEE Access, 9, 104261-104280.

References

{{Reflist

External links

PortFusion
distributed reverse / forward, local forward proxy and tunneling solution for all TCP protocols
SSH VPN tunnel, see the SSH-BASED VIRTUAL PRIVATE NETWORKS section

BarbaTunnel Project - Free open source implementation of HTTP-Tunnel and UDP-Tunnel on Windows

VpnHood Project - Free open source implementation of a VPN using socket redirection
Network protocols Cybersecurity engineering