NETWORK TUNNELING – THE CONCEPT, APPLICATIONS
THE
-Atishay Jain, 10783017 3T5, CSED, Thapar University
INTRODUCTION For a Lehman, a tunnel can be defined as – “A tunnel provides a route for moving from one of its ends to another, hiding details of the route in between.” Thus, by the definition of a tunnel, its purpose is to connect two points or places such that the route in between is not a concern of the travelers. Similar is the case with network tunnels. A network tunnels, performs the function of connecting two points across a network such that, the route travelled in between can be considered as not present for the client application that relies on the tunneling server/client for operation. This is obtained by the means of encapsulation of the client data in a packet of the protocol supported by the tunneling application, at the server side and decapsulation at the client side. Formally, Tunneling can be defined as, “The term tunneling protocol is used to describe when one network protocol called the payload protocol is encapsulated within a different delivery protocol.” Thus if a packet from a protocol is encapsulated in a protocol it is not supposed to be present in, as per the OSI model, we are performing tunneling. This new header added to the packet performs the operation of transfer of data, whereas the client packet is decapsulated and sent to the client application. Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. The tunnel protocol is usually (but not always) at a higher level than the payload protocol, or at the same level. To understand a particular protocol stack, both the payload and delivery protocol sets must be understood. Protocol encapsulation that is carried out by conventional layered protocols, in accordance with the OSI model or TCP/IP model, for example HTTP over TCP over IP over PPP over a V.92 modem, should not be considered as tunneling.
As an example of network layer over network layer, Generic Routing Encapsulation (GRE), which is a protocol running over IP (IP Protocol Number 47), often is used to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are compatible, but the payload addresses are incompatible with those of the delivery network. In contrast, an IP payload might believe it sees a data link layer delivery when it is carried inside the Layer 2 Tunneling Protocol (L2TP), which appears to the payload mechanism as a protocol of the data link layer. L2TP, however, actually runs over the transport layer using User Datagram Protocol (UDP) over IP. The IP in the delivery protocol could run over any data link protocol from IEEE 802.2 over IEEE 802.3 (i.e., standards-based Ethernet) to the Point-to-Point Protocol (PPP) over a dialup modem link.
Figure 1: Tunneling, an example:
The figure illustrates a layer 3 packet again encapsulated in another Layer 3 packet
POPULAR
TYPES OF TUNNELING
1. SSH tunneling: An SSH tunnel is an encrypted tunnel created through an SSH protocol connection. SSH tunnels may be used to tunnel unencrypted traffic over a network through an encrypted channel. For example, Windows machines can share files using the SMB protocol, which is not encrypted. If you were to mount a Windows filesystem remotely through the Internet, someone snooping on the connection could see your files. To mount the Windows filesystem securely, you can establish an SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself is unencrypted it is secure because it travels through the encrypted SSH channel. To create an SSH tunnel, an SSH client is configured to forward a specified local port to a port on the remote machine. Once
the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port need not be the same as the remote port. Tunnels can be created at any time, with almost no effort and no programming, which makes them very appealing. In this article we look at SSH Port Forwarding in detail, as it is a very useful but often misunderstood technology. SSH Port Forwarding can be used for secure communications in a myriad of different ways. The diagram below shows how a IRC chat network can be made securely accessible from outside the company premises by the means of SSH tunneling.
Figure 2: SSH tunneling for IRC
2. HTTP Encapsulation: Another HTTP-
based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to an HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows access only to TLS/SSL-based HTTPS services.
Figure 3: HTTP tunneling
SOME
The figure alongside shows how a tunneling server can act as the means for the transfer of HTTP data over the network by encapsulating it within another HTTP packet.
IMPORTANT TERMS:
1. Proxy Server: In computer networks, a proxy server is a server (a
computer system or an application program) that acts as a gobetween for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. 2. URL Translation: Unlike tunneling URL Translation involves sending
the URL and the server returns the page returns. There is no protocol in protocol encapsulation, i.e. proxy server in true sense acts as client for the server. The sessions and cookies are established in the proxy server and not in the true client unlike the tunneling mechanism. 3. SOCKS 4/5: SOCKS is an Internet protocol that facilitates the routing
of network packets between client-server applications via a proxy server. SOCKS performs at Layer 5 of the OSI model - the Session Layer
APPLICATIONS 1. IPv6 in IPv4: Involves transfer of IPv6 packets over routers that support only IPv4. IPv4 acts as a tunnel for IPv6 packets. Steps: •
Prepare an IPv6 packet.
•
Encrypt it in IPv4 packet with the address of a translation server.
•
Cross the old IPv4 routers
•
Decapsulate.
2. Secure Transfer : Usage of SSL for data transfer. Steps: •
Encapsulate information in primitive protocol
•
Encapsulate in a secure protocol
•
Send
•
Decapsulate
3. Virtual Private Networks: A virtual private network (VPN) is a computer
network in which some of the links between nodes are carried by open connections or virtual circuits in some larger networks, such as the Internet, as opposed to running across a single private network. The Link Layer protocols of the virtual network are said to be tunneled through the transport network. One common application is to secure communications through the public Internet, but a VPN does not need to have explicit security features such as authentication or content encryption. For example, VPNs can also be used to separate the traffic of different user communities over an underlying network with strong security features, or to provide access to a network via customized or private routing mechanisms. Th figure below shows the virtual private network extending extranet for the Work at home fascility as well as intranet over geographically remote destinations connected via internet.
Figure 4: VPN 4. MisuseAccess blocked sites: Tunneling can also be used to "sneak through" a firewall. A protocol that is blocked by the firewall is "wrapped" inside a protocol that is not blocked by the firewall, such as HTTP. If the firewall policy has not been written to exclude this kind of "wrapping", this trick can be used to get around the intended firewall policy. Figure 5: A chat client
using http tunneling.
CONCLUSION Like all technologies, there are positives to draw as well as negatives from the tunneling technology. It increases overhead, can be misused over firewall policy, but still, the features of VPN it provides has helped make the world global. Imagine expanding a company without it. Preventing misuse is next to impossible, but I think we would never want internet to get lost over these issues.
Figure 6: A VPN – Another illustration