Introduction

A tunneling protocol is a network protocol which encapsulates a payload protocol, acting as a payload protocol. It is the process of putting one packet inside another. Recalling that packets are the chunks of information into which all Internet messages get chopped, tunneling can be thought of as the act of encapsulating ordinary (non-secure) IP packets inside of encrypted (secure) IP packets Reasons to tunnel include carrying a payload over an incompatible delivery network, or to provide a secure path through an untrusted network.

Tunneling does not always fit a layered protocol model such as those of OSI or TCP/IP. Protocol encapsulation that is carried out by conventional layered protocols, in accordance with the OSI model or TCP/IP model, for example HTTP over TCP over IP over PPP over a V.92 modem, should not be considered as tunneling.
As an example of network layer over network layer, Generic Routing Encapsulation (GRE), which is a protocol running over IP ( IP Protocol Number 47), often is used to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are compatible, but the payload addresses are incompatible with those of the delivery network.
In contrast, an IP payload might believe it sees a data link layer delivery when it is carried inside the Layer 2 Tunneling Protocol, which appears to the payload mechanism as a protocol of the data link layer. L2TP, however, actually runs over the transport layer using User Datagram Protocol (UDP) over IP. The IP in the delivery protocol could run over any data link protocol from IEEE 802.2 over IEEE 802.3 (i.e., standards-based Ethernet) to the Point-to-Point Protocol (PPP) over a dialup modem link.
Tunneling protocols may use data encryption to transport insecure payload protocols over a public network such as the Internet thereby providing VPN functionality. IPSec has an end-to-end Transport Mode, but also can be operate in a Tunneling Mode through a trusted security gateway.

Types of tunneling protocols

a) Datagram-based

PPTP

Point-to-Point Tunneling Protocol is the method used to create secure channels in Microsoft® Windows NTTM, and Microsoft has said it will build support for PPTP into Windows 98 clients. PPTP support is also available for Windows 95 from Microsoft, and for other Windows clients from third parties. PPTP is built on top of Point-to-Point Protocol (PPP), which most of us experience as the login protocol for dial-up Internet access. PPP already has some encryption capability, for instance the CHAP and PAP algorithms used to encrypt passwords during dial-up authentication

L2TP

L2TP stands for Layer 2 Tunneling Protocol, which refers to the low level network layer at which the protocol operates. The outstanding difference between L2TP and PPTP is that the former combines the control and data channels of the latter, and runs over UDP as opposed to TCP. UDP is a faster, leaner (and less reliable) protocol for sending packets that, because it does not retransmit lost packets, is commonly used in real-time Internet communications. PPTP, by contrast, separates the control and data channels into control stream that runs over TCP and a data stream that runs over GRE (a less popular Internet standard). Combining the control/data channels and using high-performance UDP makes L2TP more “firewall friendly” than PPTP — a crucial advantage for an extranet protocol — since most firewalls do not support GRE.
L2TP, like PPTP, is protocol-independent, meaning it can run in other milieus than the Internet. L2TP can also run over a wider variety of physical topologies such as X.25, Frame Relay and ATM. But for all practical purposes, vendors that support it are implementing L2TP over UDP for use with Internet tunneling.
IPSec
IPSec allows machines to support a number of encryption algorthims for encrypting the actual data stream, such as DES, Triple DES, IDEA, etcIPsec has recourse to much stronger algorithms than PPP.
Better still, IPsec includes an integrity check. This ensures that no packets are deleted, added or tampered with during transmission, giving IPsec unique clout in meeting the integrity goal of security standards. Moreover, IPSec security information is itself encrypted. IPSec uses machine level certificates that authenticate the identity of the communicating hosts using public key encryption.

b) Stream-based:

SSH
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols.
It is used frequently as an alternative to a full-fledged VPN. In this type of use, a (non-secure) TCP/IP connection of an external application is redirected to the SSH program (client or server), which forwards it to the other SSH party (server or client), which in turn forwards the connection to the desired destination host. The forwarded connection is encrypted and protected on the path between the SSH client and server only. Uses of SSH port forwarding include accessing database servers, email servers, securing X11, Windows Remote Desktop and VNC connections or even forwarding Windows file shares. This is primarily useful for tunneling connections through firewalls which would ordinarily block that type of connection, and for encrypting protocols which are not normally encrypted (e.g. VNC).

SOCKS
SOCKS is an internet protocol that allows client-server applications to transparently use the services of a network firewall. SOCKS is an abbreviation for “SOCKetS”.
Clients behind a firewall, needing to access exterior servers, may connect to a SOCKS proxy server instead. Such proxy server controls the eligibility of the client to access the external server and passes the request on to the server. SOCKS can also be used in the opposite way, allowing the clients outside the firewall (”exterior clients”) to connect to servers inside the firewall (internal servers).

Applications of Tunneling Protocols

SSH tunneling

SSH is frequently used to tunnel insecure traffic over the Internet in a secure way. For example, Windows machines can share files using the SMB protocol, which is not encrypted. If you were to mount a Windows filesystem remotely through the Internet, someone snooping on the connection could see your files.
So to mount an SMB file system securely, one can establish an SSH tunnel that routes all SMB traffic to the fileserver inside an SSH-encrypted connection. Even though the SMB traffic itself is insecure, because it travels within an encrypted connection it becomes secure.

Tunneling to circumvent firewall policy

Tunneling can also be used to traverse a firewall (firewall policy permitting). In this case, protocols that are normally blocked by the firewall are encapsulated inside a commonly allowed protocol such as HTTP. If the policy on the firewall does not exercise enough control over HTTP requests, this can sometimes be used to circumvent the intended firewall policy.
Another HTTP-based tunneling method uses the HTTP CONNECT method/command. This command tells an HTTP proxy to make a TCP connection to the specified server:port, and relay data back and forth between that connection and the client connection. Therefore, for security reasons, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method to accessing TLS/SSL-based HTTPS services only.

VPN – PPTP

An IP-based Virtual Private Network (VPN) provides a secure tunnel for transmitting data through an unsecured network such as the Internet. There are several protocols that can be used to achieve this including PPTP, L2TP, L2F, and IPSEC. IPSEC is the only protocol that is an IETF standard. A VPN is “virtual” because it does not require dedicated lines. It is “private” because encryption is used to achieve security. It also uses an IP “network” for communication.
Point-to-Point Tunneling Protocol (PPTP) is a protocol (set of communication rules) that allows corporations to extend their own corporate network through private “tunnels” over the public Internet. Effectively, a corporation uses a wide-area network as a single large local area network. A company no longer needs to lease its own lines for wide-area communication but can securely use the public networks. This kind of interconnection is known as a virtual private network or VPN.

Article Authored by Shaheen

Author, Shaheen, is a Systems Engineer with SupportPRO. Shaheen specializes in Cpanel and Linux servers. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers..