Tunneling protocol

Last updated

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. They can, for example, allow private network communications to be sent across a public network (such as the Internet), or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

Contents

Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, it can hide the nature of the traffic that is run through a tunnel.

Tunneling protocols work by using the data portion of a packet (the payload) to carry the packets that actually provide the service. Tunneling uses a layered protocol model such as those of the OSI or TCP/IP protocol suite, but usually violates the layering when using the payload to carry a service not normally provided by the network. Typically, the delivery protocol operates at an equal or higher level in the layered model than the payload protocol.

Uses

A tunneling protocol may, for example, allow a foreign protocol to run over a network that does not support that particular protocol, such as running IPv6 over IPv4.

Another important use is to provide services that are impractical or unsafe to be offered using only the underlying network services, such as providing a corporate network address to a remote user whose physical network address is not part of the corporate network.

Circumventing firewall policy

Users can also use tunneling to "sneak through" a firewall, using a protocol that the firewall would normally block, but "wrapped" inside a protocol that the firewall does not block, such as HTTP. If the firewall policy does not specifically exclude this kind of "wrapping", this trick can function to get around the intended firewall policy (or any set of interlocked firewall policies).

Another HTTP-based tunneling method uses the HTTP CONNECT method/command. A client issues the HTTP CONNECT command to an HTTP proxy. The proxy then makes a TCP connection to a particular server:port, and relays data between that server:port and the client connection. [1] Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method. The proxy allows connections only to specific ports, such as 443 for HTTPS. [2]

Other tunneling methods able to bypass network firewalls make use of different protocols such as DNS, [3] MQTT, [4] SMS. [5]

Technical overview

As an example of network layer over network layer, Generic Routing Encapsulation (GRE), a protocol running over IP (IP protocol number 47), often serves to carry IP packets, with RFC 1918 private addresses, over the Internet using delivery packets with public IP addresses. In this case, the delivery and payload protocols are the same, but the payload addresses are incompatible with those of the delivery network.

It is also possible to establish a connection using the data link layer. The Layer 2 Tunneling Protocol (L2TP) allows the transmission of frames between two nodes. A tunnel is not encrypted by default: the TCP/IP protocol chosen determines the level of security.

SSH uses port 22 to enable data encryption of payloads being transmitted over a public network (such as the Internet) connection, thereby providing VPN functionality. IPsec has an end-to-end Transport Mode, but can also operate in a tunneling mode through a trusted security gateway.

To understand a particular protocol stack imposed by tunneling, network engineers must understand both the payload and delivery protocol sets.

Common tunneling protocols

TCP meltdown problem

Tunneling a TCP-encapsulating payload (such as PPP) over a TCP-based connection (such as SSH's port forwarding) is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance — known as the TCP meltdown problem [6] [7] which is why virtual private network (VPN) software may instead use a protocol simpler than TCP for the tunnel connection. TCP meltdown occurs when a TCP connection is stacked on top of another. The underlying layer may detect a problem and attempt to compensate, and the layer above it then overcompensates because of that, and this overcompensation causes said delays and degraded transmission performance.

Secure Shell tunneling

A Secure Shell (SSH) tunnel consists of an encrypted tunnel created through an SSH protocol connection. Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel. It is a software-based approach to network security and the result is transparent encryption. [8]

For example, Microsoft Windows machines can share files using the Server Message Block (SMB) protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish a SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.

Ssh-L-Tunnel.png
SSH Tunnel (remote).png
Local and remote port forwarding with ssh executed on the blue computer.

Once an SSH connection has been established, the tunnel starts with SSH listening to a port on the   remote or local host. Any connections to it are forwarded to the specified   address and port originating from the   opposing (remote or local, as previously) host.

The #TCP meltdown problem is often not a problem when using OpenSSH's port forwarding, because many use cases do not entail TCP-over-TCP tunneling; the meltdown is avoided because the OpenSSH client processes the local, client-side TCP connection in order to get to the actual payload that is being sent, and then sends that payload directly through the tunnel's own TCP connection to the server side, where the OpenSSH server similarly "unwraps" the payload in order to "wrap" it up again for routing to its final destination. [9] Naturally, this wrapping and unwrapping also occurs in the reverse direction of the bidirectional tunnel.

SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services  so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH server, they can create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server, users would point their browser to the local port at http://localhost/

Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating an SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server. If an application does not support SOCKS, a proxifier can be used to redirect the application to the local SOCKS proxy server. Some proxifiers, such as Proxycap, support SSH directly, thus avoiding the need for an SSH client.

In recent versions of OpenSSH it is even allowed to create layer 2 or layer 3 tunnels if both ends have enabled such tunneling capabilities. This creates tun (layer 3, default) or tap (layer 2) virtual interfaces on both ends of the connection. This allows normal network management and routing to be used, and when used on routers, the traffic for an entire subnetwork can be tunneled. A pair of tap virtual interfaces function like an Ethernet cable connecting both ends of the connection and can join kernel bridges.

Cyberattacks based on tunneling

Over the years, tunneling and data encapsulation in general have been frequently adopted for malicious reasons, in order to maliciously communicate outside of a protected network.

In this context, known tunnels involve protocols such as HTTP, [10] SSH, [11] DNS, [12] [13] MQTT. [14]

See also

Related Research Articles

The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suite are the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), and the Internet Protocol (IP). Early versions of this networking model were known as the Department of Defense (DoD) model because the research and development were funded by the United States Department of Defense through DARPA.

In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

<span class="mw-page-title-main">Network address translation</span> Technique for making connections between IP address spaces

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was initially used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a plain-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

Virtual private network (VPN) is a network architecture for virtually extending a private network across one or multiple other networks which are either untrusted or need to be isolated.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

FTPS is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure Sockets Layer cryptographic protocols.

The Discard Protocol is a service in the Internet Protocol Suite defined in 1983 in RFC 863 by Jon Postel. It was designed for testing, debugging, measurement, and host-management purposes.

Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across gateways that implement network address translation (NAT).

In computer networking, TUN and TAP are kernel virtual network devices. Being network devices supported entirely in software, they differ from ordinary network devices which are backed by physical network adapters.

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

HTTP tunneling is used to create a network link between two computers in conditions of restricted network connectivity including firewalls, NATs and ACLs, among other restrictions. The tunnel is created by an intermediary called a proxy server which is usually located in a DMZ.

DirectAccess, also known as Unified Remote Access, is a VPN technology that provides intranet connectivity to client computers when they are connected to the Internet. Unlike many traditional VPN connections, which must be initiated and terminated by explicit user action, DirectAccess connections are designed to connect automatically as soon as the computer connects to the Internet. DirectAccess was introduced in Windows Server 2008 R2, providing this service to Windows 7 and Windows 8 "Enterprise" edition clients. In 2010, Microsoft Forefront Unified Access Gateway (UAG) was released, which simplifies the deployment of DirectAccess for Windows 2008 R2, and includes additional components that make it easier to integrate without the need to deploy IPv6 on the network, and with a dedicated user interface for the configuration and monitoring. Some requirements and limitations that were part of the design of DirectAccess with Windows Server 2008 R2 and UAG have been changed. While DirectAccess is based on Microsoft technology, third-party solutions exist for accessing internal UNIX and Linux servers through DirectAccess. With Windows Server 2012, DirectAccess is fully integrated into the operating system, providing a user interface to configure and native IPv6 and IPv4 support.

<span class="mw-page-title-main">Mosh (software)</span> Remote terminal

In computing, Mosh is a tool used to connect from a client computer to a server over the Internet, to run a remote terminal. Mosh is similar to SSH, with additional features meant to improve usability for mobile users. The major features are:

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

References

  1. "Upgrading to TLS Within HTTP/1.1". RFC 2817. 2000. Retrieved March 20, 2013.
  2. "Vulnerability Note VU#150227: HTTP proxy default configurations allow arbitrary TCP connections". US-CERT. 2002-05-17. Retrieved 2007-05-10.
  3. Raman, D., Sutter, B. D., Coppens, B., Volckaert, S., Bosschere, K. D., Danhieux, P., & Buggenhout, E. V. (2012, November). DNS tunneling for network penetration. In International Conference on Information Security and Cryptology (pp. 65-77). Springer, Berlin, Heidelberg.
  4. Vaccari, I., Narteni, S., Aiello, M., Mongelli, M., & Cambiaso, E. (2021). Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities. IEEE Access, 9, 104261-104280.
  5. Narteni, S., Vaccari, I., Mongelli, M., Aiello, M., & Cambiaso, E. (2021). Evaluating the possibility to perpetrate tunnelling attacks exploiting shortmessage-service. Journal of Internet Services and Information Security, 11, 30-46.
  6. Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Idea". Archived from the original on 2022-01-03. Retrieved 2023-01-03.
  7. Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto; Ishizuka, Mika; Murayama, Junichi (October 2005). "Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency". In Atiquzzaman, Mohammed; Balandin, Sergey I (eds.). Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III. Vol. 6011. Bibcode:2005SPIE.6011..138H. CiteSeerX   10.1.1.78.5815 . doi:10.1117/12.630496. S2CID   8945952.
  8. Barrett, Daniel J.; Barrett, Daniel J.; Silverman, Richard E.; Silverman, Richard (2001). SSH, the Secure Shell: The Definitive Guide. "O'Reilly Media, Inc.". ISBN   978-0-596-00011-0.
  9. Kaminsky, Dan (2003-06-13). "Re: Extensions for long fat networks?". openssh-unix-dev@mindrot.org (Mailing list). the TCP forwarding code is pretty speedy as well. Just to pre-answer a question, ssh decapsulates and re-encapsulates TCP, so you don't have classic TCP-over-TCP issues.
  10. Pack, D. J., Streilein, W., Webster, S., & Cunningham, R. (2002). Detecting HTTP tunneling activities. MASSACHUSETTS INST OF TECH LEXINGTON LINCOLN LAB.
  11. Dang, F., Li, Z., Liu, Y., Zhai, E., Chen, Q. A., Xu, T., ... & Yang, J. (2019, June). Understanding fileless attacks on linux-based iot devices with honeycloud. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services (pp. 482–493).
  12. Raman, D., Sutter, B. D., Coppens, B., Volckaert, S., Bosschere, K. D., Danhieux, P., & Buggenhout, E. V. (2012, November). DNS tunneling for network penetration. In International Conference on Information Security and Cryptology (pp. 65-77). Springer, Berlin, Heidelberg.
  13. Aiello, M., Mongelli, M., Cambiaso, E., & Papaleo, G. (2016). Profiling DNS tunneling attacks with PCA and mutual information. Logic Journal of the IGPL, 24(6), 957-970.
  14. Vaccari, I., Narteni, S., Aiello, M., Mongelli, M., & Cambiaso, E. (2021). Exploiting Internet of Things Protocols for Malicious Data Exfiltration Activities. IEEE Access, 9, 104261-104280.