World Library  
Flag as Inappropriate
Email this Article

Tunneling protocol

Article Id: WHEBN0001272738
Reproduction Date:

Title: Tunneling protocol  
Author: World Heritage Encyclopedia
Language: English
Subject: Virtual private network, IPv6, Internet protocol suite, Secure Shell, Point-to-Point Protocol
Collection: Computer Security, Network Protocols, Tunneling Protocols
Publisher: World Heritage Encyclopedia

Tunneling protocol

In computer networks, a tunneling protocol allows a network user to access or provide a network service that the underlying network does not support or provide directly. One important use of a tunneling protocol is to allow a foreign protocol to run over a network that does not support that particular protocol; for example, running IPv6 over IPv4. Another important use is to provide services that are impractical or unsafe to be offered using only the underlying network services; for example, providing a corporate network address to a remote user whose physical network address is not part of the corporate network. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

The tunneling protocol works by using the data portion of a packet (the payload) to carry the packets that actually provide the service. Tunneling uses a layered protocol model such as those of the OSI or TCP/IP protocol suite, but usually violates the layering when using the payload to carry a service not normally provided by the network. Typically, the delivery protocol operates at an equal or higher level in the layered model than the payload protocol.


  • Technical overview 1
  • Secure Shell tunneling 2
  • Circumventing firewall policy 3
  • Examples 4
  • See also 5
  • References 6
  • External links 7

Technical overview

To understand a particular protocol stack imposed by tunneling, network engineers must understand both the payload and delivery protocol sets.

As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol running over IP (IP Protocol Number 47), often serves to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are the same, but the payload addresses are incompatible with those of the delivery network.

It is also possible to use link layer over network layer. the Layer 2 Tunneling Protocol (L2TP) allows link layer packets to be carried as data inside UDP datagrams. Thus L2TP runs over the transport layer. The IP in the delivery protocol could run over any data-link protocol from IEEE 802.2 over IEEE 802.3 (i.e., standards-based Ethernet) to the Point-to-Point Protocol (PPP) over a dialup modem link.

Tunneling protocols may use data encryption to transport insecure payload protocols over a public network (such as the Internet), thereby providing VPN functionality. IPsec has an end-to-end Transport Mode, but can also operate in a tunneling mode through a trusted security gateway.

Secure Shell tunneling

A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through an SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. For example, Microsoft Windows machines can share files using the Server Message Block (SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish a SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.

Local port forwarding with ssh via command line. The ssh command has to be executed on the blue computer.
Remote port forwarding with ssh via command line. The ssh command has to be executed on the blue computer.
Local port forwarding with ssh via PuTTY application. The PuTTY has to be executed on the blue computer.

To set up a local SSH tunnel, one configures an SSH client to forward a specified local port (green in the images) to a port (pink in the images) on the remote machine (yellow in the image). Once the SSH tunnel has been established, the user can connect to the specified local port (green) to access the network service. The local port (green) does not have to be the same as the remote port (pink).

SSH tunnels provide a means to bypass server, they can create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server, users would point their browser to the local port at http://localhost/

Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating an SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server. If an application doesn't support SOCKS, a proxifier can be used to redirect the application to the local SOCKS proxy server. Some proxifiers, such as Proxycap, support SSH directly, thus avoiding the need for an SSH client.

Circumventing firewall policy

Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would normally block, but "wrapped" inside a protocol that the firewall does not block, such as HTTP. If the firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around the intended firewall policy.

Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to a HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection.[1] Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows connections only to specific ports, such as 443 for HTTPS.[2]


Below is an example of how to set up an SSH tunnel in OpenSSH.[3]

# Use port 8080 on the localhost to connect to port 2222 on host '' for user '' and run in the background
# See the ssh manpage, 'man ssh'. The example below can be used with SSH certificates.

ssh -D 8080 -f -C -q -N -p 2222 @ &

# When the tunnel is set up, configure your browser to use a socks host on 'localhost' on port 8080.
# All HTTP traffic will then go through the SSH tunnel.

See also


  1. ^ "Upgrading to TLS Within HTTP/1.1". RFC 2817. 2000. Retrieved March 20, 2013. 
  2. ^ "Vulnerability Note VU#150227: HTTP proxy default configurations allow arbitrary TCP connections".  
  3. ^ "ssh: OpenBSD manual pages". 2014-07-24. Retrieved 2014-08-12. 

External links

  • PortFusion distributed reverse / forward, local forward proxy and tunneling solution for all TCP protocols
  • BarbaTunnel Project - Free open source implementation of HTTP-Tunnel and UDP-Tunnel on Windows

This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.

This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.