Tunneling protocol

Tunnel or tunneling in a network called the conversion and transmission of a communication protocol that is embedded for transport to a different communication protocol. Upstream and downstream of the tunnel partners Thus, the original protocol is "spoken", whereas between the tunnel partners a different protocol is used, which is another kind of the communication and still carries the data of the original protocol. This software is required, the tunnel on both sides of the tunnel. Having embedded the original communication data to another protocol, the software must extract on the other side of the tunnel the data back and pass.

A vivid example for tunneling within the public switched network is the transmission of digital computer data by an analog voice network using acoustic coupler. There, the transition between the acoustic and telephone handset a visible input forms ( when the computer sends data ) (receive data) and exit of the tunnel. Tunnel such as DSL are needed today to access over the public switched telephone network to the Internet.

Internet access via the switched network is an example of a tunnel, the networks ( the private network and the Internet) by a neighboring power through connecting with each other without the adjacent network ( the switched network ) must be compatible with these networks. In addition, tunneling is used for this purpose in a computer network data of a network service embedded in the protocol of another network service to transmit. The communication protocol used the other service is used as a sheath which helps to conceal the actual content. In this way, insecure network protocols embedded in a secured and encrypted network protocol can be secure against eavesdropping and tamper-proof transport (eg SSH tunnel ). Tunnels can also be used to network participants from their original network out to bind to a different network ( such as VPN tunnel ). In addition, tunnel lend themselves to circumvent the rules of a firewall and other security measures ( such as HTTP - tunnel ).

Tunneling within the public switched network

The public switched network contains an infrastructure. A there connected device must be able to operate this infrastructure ( whose minutes talk ). The device could not reach his interlocutor.

In addition to the public switched telephone network, which was originally developed for telephony, there are other networks. Grossly simplified can imagine another network somewhere, for example in Germany, stands and more computers together. The computers provide services to, on which you can access through the network. The provider could now create their own lines to the home of its customers to make there a port for the new network. Admittedly, this process would be very complicated and expensive, and there were very many outlets in a household who wishes to contact multiple networks in a similar way.

Alternatively, the existing public switched telephone network can be used using a tunnel: On the one hand, the new system will be connected via a gateway to the public switched telephone network; on the other hand, on the phone socket of the user, a remote station will be installed at the proposed for the new network terminals can be connected (here the own computer of the customer). Between the remote site and the gateway, the data are transferred to the protocol of the public switched network according to ( they are tunneled, more specifically, they are packed into a protocol that controls the addressing of the switched network and "packaged" in the data of the other network without the technical violating specifications of the switched network ). These devices are tunnel partner as they tackle the original packages in a different protocol and unpack on the other side and forward. Before and behind these devices, the protocol of the other network is spoken again; addressing is used for example again in a form instead, which sees the computer network.

Such tunnel, the networks using another network across interconnect are among the VPNs. Known tunnel within the public switched network, for example, ISDN, X.25, Frame Relay and DSL.

Tunneling within a computer network,

Suitable protocols

In principle, all protocols for a tunnel use. You have to be routed only through the network and offer the possibility to embed the transported data. So can be used for data transport, for example, in a tunnel ICMP ping packets ( ICMP). There are also asymmetric tunnel possible in the two different protocols for the outward and return journey can be used.

Bypass a firewall with a tunnel

A network service operates on a specified port. If ports blocked by a firewall, you want to achieve so that certain services may not be used. If, for example, port 80 (HTTP) and port 21 allowed (FTP ) is locked, so the user can easily browse web pages, but not exchange files via FTP to a web server.

One could change the ftp client program and the server service of his own Internet server so that they also communicate via port 80, thus bypassing the filter rule of the firewall.

A firewall, which is able to analyze the packets can also examine the structure of data and block all packets that do not match the protocol of the shared service. Here's the trick would no longer work in theory. In practice, however, such control is not trivial. Finally, each protocol is to transport any data. So it is possible, eg to embed the data of an FTP service in the log of an HTTP service, without violating the protocol standard. The data have to be only converted accordingly.

A tunnel takes such a conversion: he sends the data to a locked service embedded in the data of a shared service through the firewall to its destination system. To this must be on the PC and the target system, however, a tunnel software installed, which converts the data on one side and converts back to the other side back into the original format.

Allows the firewall encrypted connections, such as HTTPS web servers, the data at the firewall can no longer be read along. Thus, a content inspection is not possible. These compounds are particularly suitable for tunnels.

Hole Punching is a tunneling technique that can be applied when both ends of a connection are screened each by firewalls from the Internet.

Employers sometimes prohibit the use of services other than HTTP and ensure this by of use and a firewall. If a firewall in company networks bypassed under such conditions, it should be noted that this can be seen as a deliberate breach of the Conditions of use, thereby risking a worker dismissal.

Use the tunnel principle for encrypted connection

Tunnels are primarily used to build bug-proof connections over insecure computer networks across. The tunnel software ensures that the network packets are embedded in an encryption- enabled protocol in order to decrypt it on the other side again and unpack. This encrypted data transmission is realized for services, which usually have no own encryption. Even entire networks can be tap-proof interconnected.

Tunnel software (converter)

By the tunnel software of the client hangs in the IP implementation, they might outgoing requests to specific services (or more precisely to a TCP or UDP port X) automatically redirect to Port Y of another service, and thereby make a conversion of the data, as soon as a particular destination (IP address) will be addressed. Port X could be according to the example above, the port for the FTP service, while Port Y then the port for the HTTP service would, over which the request is to be tunneled. However, this automatism could not be set up if the ID on the system does not have administrative rights. This should help to overcome the obstacle a more elegant solution. So the tunnel software usually binds itself to a solid port of the PC so that the PC can receive requests on this port.

Thus, only the local system can use this port to the tunnel software typically involves not to the external address of the network card, but to the inside local address of the computer (localhost, called the loopback interface 127.0.0.1). Then the client program is configured to the that it no longer sends its requests to the target system, but on the user's computer to the port tunnel software sends ( Target = " localhost: port X"). Depending on the setting, the tunnel software ranges turn all packets that arrive on port X, automatically to the actual target system on ( Target = " remote server: port Y").

In this way, several local ports can be used, which can be configured individually and connect with different objectives.

On the server, the tunnel software runs on the same principle - only the other way around: She listens to the tunnel port, converts all incoming packets back there in the original format, and forwards it to the destination ( p) site on.

As an alternative to the method previously described, there are also applications in which the tunnel is already integrated software. The tunnel can be used as direct, without having to program a separate converter switch between.

Examples of a tunnel software:

• GNU httptunnel HTTP Tunnelinglösung.
• Http Tunnel - a cross-platform ( Perl / PHP) HTTP tunneling software
• OpenSSH - SSH allows encrypted TCP tunnel to build
• OpenVPN - VPN solution for Unix and Windows, use either UDP or TCP (Version 2.0 )
• Corkscrew - a SSH HTTP (s) tunneling program
• PuTTY is a free SSH and Telnet client program
• FreeS / WAN
• Opens / WAN
• IPig Hotspot VPN - TCP / UDP tunneling software and services ( a restricted version is available free of charge. )
• VTun
• Pingfu is a Game Tunnel Service
• Hamachi - a free VPN Tunnel Service
• Your Freedom is a partially free HTTP Tunnel Service
• Crypto IP Encapsulation ( CIPE )
• Tunnel - TCP tunnel software ( restricted free to use, Windows Linux )
• Tunngle P2P VPN gaming tool

Security

Tunneled connections are only valid as long as safe as the encryption method used for this are highly regarded as sufficient.