Network tunneling: What is it and how do we use it?
Tunneling in computer networks is a way of communicating or transferring data from one network to another through a process called encapsulation. Tunneling requires repacking the traffic data into a different form, which can also have an encryption step and consequently can hide the nature of the traffic that is sent through the tunnel to the underlying network.
The tunneling protocol works on top of the network stack by using the data or payload part of the packet of the underlying network to carry its entire packets through the network.
Tunneling is generally used for allowing new or different protocols that are not supported by the network stack to run through the current network. The second important use is enabling a virtual private network that provides a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet. In general, tunneling enables secure point-to-point connections across single or multiple networks. It also enables a way to circumvent firewall rules, by using a protocol that a firewall would normally block, but encapsulated inside a protocol that the firewall does not block, such as Hypertext Transport Protocol (HTTP). On the other hand, due to the encapsulation process, communication is a bit slower.
Common tunneling protocols
Internet Protocol in Internet Protocol (IP in IP - IP protocol 4)
IP protocol 4 is an IP tunneling protocol that encapsulates one IP packet inside another IP packet, by adding an outer header to the payload that presents the entire inner IP packet. The outer header contains the source IP of the tunnel entry point and the destination IP of the tunnel exit point. The inner packet header and payload are unchanged, except the
Time to live (TTL) field, which is decremented, and the fields
Don't Fragment and
Type of Service are copied to the outer header.
Simple Internet Transition (SIT/IPv6 - IP protocol 41)
IP protocol 41 encapsulated IPv6 packets inside the IPv4 packets and is generally used to allow computers with only an IPv4 address to obtain an IPv6 address and route traffic to IPv5 addresses.
Generic Routing Encapsulation (GRE - IP protocol 47)
IP Protocol 47 is a tunneling protocol developed by Cisco that can encapsulate a wide variety of network layer protocols inside virtual point-to-point or point-to-multipoint links over an IP network. It is used for creating Virtual Private Networks (VPNs) in conjunction with Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol Security (IPsec), for mobility protocols, for establishing ad-hoc IP over GRE tunnels that are interoperable with Cisco equipment and for Distributed denial of service (DDoS) protected device connections to unprotected endpoints.
OpenVPN provides a VPN system for creating secure point-to-point and site-to-site connections in routed, bridged and remote networks. By default, it uses the User Datagram Protocol (UDP) over port 1194.
It is based on client-server architecture, where clients can use pre-shared secret keys, certificates or usernames/passwords for authentication. When there are multiple clients, it enables the use of certificate authority for signing certificate requests from clients to create signed client certificates.
OpenVPN uses the OpenSSL library for encryption, custom security protocol utilizing Secure Sockets Layer/Transport Layer Security (SSL/TLS) for key exchange and contains additional security and control features. It is also able to traverse Network Address Translators (NATs) and firewalls.
OpenVPN can operate in
tap modes. The
tun mode provides secure virtual point-to-point connections that work at layer 3 or the network layer. On the other hand, the
tap mode provides secure virtual point-to-point connections that work at layer 2 or the link layer.
Point-to-Point Tunneling Protocol (PPTP)
PPTP is an obsolete method for implementing VPNs, due to its many known security issues related to its underlying authentication protocols. By default, it uses the Transmission Control Protocol (TCP) over port 1723 to encapsulate PPP packets. The PPTP specification does not define any encryption or authentication methods and relies on PPTP being tunneled to achieve both features.
Secure Socket Tunneling Protocol (SSTP)
SSTP is a protocol that enables a VPN for transporting Point-to-Point Protocol (PPP) traffic through SSL/TLS channel. By default, it uses the TCP over the HyperText Transfer Protocol Secure (HTTPS) on port 443.
SSTP is intended only for remote client access and it generally does not support site-to-site VPN tunnels. Its two main drawbacks are that us supports only user authentication and not device authentication and it has performance limitations because it uses an IP-over-TCP tunnel.
During the SSL/TLS phase, the SSTP servers must be authenticated, while clients can be also optionally authenticated. Both servers and clients must be authenticated during the PPP phase, where PPP enable the use of common authentication methods like Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP).
Internet Protocol Security (IPsec - IP Protocols 50 and 51)
IPSec is a network protocol suite that provides authentication and encryption of packets and consequently provides secure encrypted communication between two computers over an IP network.
It provides protocols for establishing mutual authentication between agents at the beginning of a session and negotiation of cryptographic keys to use during the session. It can provide a secure communication channel between two hosts (host-to-host), two gateways (network-to-network) or a gateway and a host (network-to-host). IPSec provides network-level authentication, data origin authentication, data integrity, data confidentiality and replay protection.
For comparison, IPSec operates on the network layer, while TLS operates on the transport layer and OpenVPN or SSH on the application layer. IPSec can also be used for VPNs.
IPSec operates in transport or tunnel mode. Transport mode authenticates and encrypts only the IP packet payload, while the header stays unchanged and consequently the routing is intact. The header can also be optionally authenticated. Tunnel mode authenticates and encrypts the entire IP packet, which is encapsulated into a new IP packet with a new header. This mode can be used for VPNs.
Layer 2 Tunneling Protocol (L2TP - IP protocol 115)
Protocol 115 is a layer 2 or link layer tunneling protocol used to support VPNs or ISP services. It only uses encryption for its control messages using an optional pre-shared secret and does not provide any encryption for the content it is transferring. The tunnel is passed over to Layer 3 or the network layer that can use an encryption protocol for the data, such as IPSec.
Virtual Extensible LAN (VXLAN)
VXLAN is a network virtualization technology that attempts to improve the scalability problems in large cloud computing deployments. It encapsulates the layer 2 Ethernet frames within layer 4 UDP packets over port 4789. VXLAN tunnel endpoints can be either virtual or physical ports, also known as VXLAN tunnel endpoints (VTEPs). VXLAN builds upon Virtual LAN (VLAN) and strives to become a standard network overlay encapsulation protocol. In comparison to the limited number of logical networks in VLAN with 12-bit IDs, VXLAN enables 16 million logical networks with 24-bit IDs.
Network Virtualization using Generic Routing Encapsulation (NVGRE)
NVGRE is a network virtualization technology that attempts to improve the scalability problems in large cloud computing deployments, similar to VXLAN.
Generic Network Virtualization Encapsulation (GENEVE)
GENEVE is a network encapsulation protocol developed by the Internet Engineering Task Force (IETF) that strives to unify similar protocols like VXLAN and NVGRE.
WireGuard is a tunneling protocol that implements encrypted virtual private networks that strive to be easy to use, have a high performance and have a low attack surface. It uses Curve25519 elliptic curve cryptography protocol for key generation and key exchange. It optionally supports pre-shared symmetric keys. It uses only UDP and supports IPv4 and IPv6 protocols.
Secure Shell (SSH)
SSH protocol provides a tunnel to transfer unencrypted traffic over a network through an encrypted channel. It uses a client-server architecture and by default, it runs on port 22.
The transport layer provides server authentication, confidentiality and integrity. User authentication protocol validates the user to the server. Connection protocol multiplexes the encrypted tunnel into multiple logical communication channels. It uses public-key cryptography to authenticate remote systems and allows it to authenticate the user, if necessary.