You are on page 1of 7


-Atishay Jain, 10783017
3T5, CSED, Thapar University

For a Lehman, a tunnel can be defined as – “A tunnel provides a route
for moving from one of its ends to another, hiding details of the route in
between.” Thus, by the definition of a tunnel, its purpose is to connect two
points or places such that the route in between is not a concern of the
travelers. Similar is the case with network tunnels. A network tunnels,
performs the function of connecting two points across a network such that,
the route travelled in between can be considered as not present for the client
application that relies on the tunneling server/client for operation. This is
obtained by the means of encapsulation of the client data in a packet of the
protocol supported by the tunneling application, at the server side and
decapsulation at the client side.

Formally, Tunneling can be defined as, “The term tunneling protocol

is used to describe when one network protocol called the payload
protocol is encapsulated within a different delivery protocol.”

Thus if a packet from a protocol is encapsulated in a protocol it is

not supposed to be present in, as per the OSI model, we are performing
tunneling. This new header added to the packet performs the operation
of transfer of data, whereas the client packet is decapsulated and sent
to the client application.

Tunneling typically contrasts with a layered protocol model such as those of

OSI or TCP/IP. The tunnel protocol is usually (but not always) at a higher level
than the payload protocol, or at the same level. To understand a particular
protocol stack, both the payload and delivery protocol sets must be
understood. Protocol encapsulation that is carried out by conventional
layered protocols, in accordance with the OSI model or TCP/IP model, for
example HTTP over TCP over IP over PPP over a V.92 modem, should not be
considered as tunneling.
As an example of network layer over network layer, Generic Routing
Encapsulation (GRE), which is a protocol running over IP (IP Protocol Number
47), often is used to carry IP packets, with RFC 1918 private addresses, over
the Internet using delivery packets with public IP addresses. In this case, the
delivery and payload protocols are compatible, but the payload addresses
are incompatible with those of the delivery network.

In contrast, an IP payload might believe it sees a data link layer delivery

when it is carried inside the Layer 2 Tunneling Protocol (L2TP), which appears
to the payload mechanism as a protocol of the data link layer. L2TP,
however, actually runs over the transport layer using User Datagram Protocol
(UDP) over IP. The IP in the delivery protocol could run over any data link
protocol from IEEE 802.2 over IEEE 802.3 (i.e., standards-based Ethernet) to
the Point-to-Point Protocol (PPP) over a dialup modem link.

Figure 1: Tunneling, an example:

The figure illustrates a layer 3

packet again encapsulated in
another Layer 3 packet


1. SSH tunneling: An SSH tunnel is an encrypted tunnel created through

an SSH protocol connection. SSH tunnels may be used to tunnel
unencrypted traffic over a network through an encrypted channel.
For example, Windows machines can share files using the SMB
protocol, which is not encrypted. If you were to mount a Windows
filesystem remotely through the Internet, someone snooping on the
connection could see your files. To mount the Windows filesystem
securely, you can establish an SSH tunnel that routes all SMB traffic
to the remote fileserver through an encrypted channel. Even though
the SMB protocol itself is unencrypted it is secure because it travels
through the encrypted SSH channel.
To create an SSH tunnel, an SSH client is configured to
forward a specified local port to a port on the remote machine. Once
the SSH tunnel has been established, the user can connect to the
specified local port to access the network service. The local port
need not be the same as the remote port.
Tunnels can be created at any time, with almost no effort and no
programming, which makes them very appealing. In this article we
look at SSH Port Forwarding in detail, as it is a very useful but often
misunderstood technology. SSH Port Forwarding can be used for
secure communications in a myriad of different ways.
The diagram below shows how a IRC chat network can be
made securely accessible from outside the company premises by
the means of SSH tunneling.

Figure 2: SSH tunneling for IRC

2. HTTP Encapsulation: Another HTTP-
based tunneling method uses the HTTP
CONNECT method/command. A client
issues the HTTP CONNECT command to
an HTTP proxy. The proxy then makes a
TCP connection to a particular
server:port, and relays data between
that server:port and the client
connection. Because this creates a
security hole, CONNECT-capable HTTP
proxies commonly restrict access to
the CONNECT method. The proxy
allows access only to TLS/SSL-based
HTTPS services.

The figure alongside shows how a tunneling

Figure 3: HTTP tunneling server can act as the means for the transfer of
HTTP data over the network by encapsulating it
within another HTTP packet.


1. Proxy Server: In computer networks, a proxy server is a server (a
computer system or an application program) that acts as a go-
between for requests from clients seeking resources from other
servers. A client connects to the proxy server, requesting some
service, such as a file, connection, web page, or other resource,
available from a different server.

2. URL Translation: Unlike tunneling URL Translation involves sending

the URL and the server returns the page returns. There is no
protocol in protocol encapsulation, i.e. proxy server in true sense
acts as client for the server. The sessions and cookies are
established in the proxy server and not in the true client unlike the
tunneling mechanism.

3. SOCKS 4/5: SOCKS is an Internet protocol that facilitates the routing

of network packets between client-server applications via a proxy
server. SOCKS performs at Layer 5 of the OSI model - the Session
1. IPv6 in IPv4: Involves transfer of IPv6 packets over routers that support only
IPv4. IPv4 acts as a tunnel for IPv6 packets. Steps:

• Prepare an IPv6 packet.

• Encrypt it in IPv4 packet with the address of a translation server.

• Cross the old IPv4 routers

• Decapsulate.

2. Secure Transfer : Usage of SSL for data transfer. Steps:

• Encapsulate information in primitive protocol

• Encapsulate in a secure protocol

• Send

• Decapsulate

3. Virtual Private Networks: A virtual private network (VPN) is a computer

network in which some of the links between nodes are carried by open
connections or virtual circuits in some larger networks, such as the
Internet, as opposed to running across a single private network. The
Link Layer protocols of the virtual network are said to be tunneled
through the transport network. One common application is to secure
communications through the public Internet, but a VPN does not need
to have explicit security features such as authentication or content
encryption. For example, VPNs can also be used to separate the traffic
of different user communities over an underlying network with strong
security features, or to provide access to a network via customized or
private routing mechanisms. Th figure below shows the virtual private
network extending extranet for the Work at home fascility as well as intranet
over geographically remote destinations connected via internet.
Figure 4: VPN

4. Misuse- Access
blocked sites:
Tunneling can also be
used to "sneak
through" a firewall. A
protocol that is blocked
by the firewall is
"wrapped" inside a
protocol that is not
blocked by the firewall,
such as HTTP. If the
firewall policy has not
been written to exclude
this kind of "wrapping",
this trick can be used to
get around the
intended firewall policy.

Figure 5: A chat client using http tunneling.

Like all technologies, there are positives to draw as well as
negatives from the tunneling technology. It increases overhead, can be
misused over firewall policy, but still, the features of VPN it provides has
helped make the world global. Imagine expanding a company without it.
Preventing misuse is next to impossible, but I think we would never want
internet to get lost over these issues.

Figure 6: A VPN – Another illustration