Tunneling and VPN

Lin, Weyde

doi:10.1007/978-3-031-33386-6_26

Weyde Lin⁵

5430 Accesses

Abstract

Tunneling is a technique used to transport data packets over a network. The original data packets, with a protocol not supported by the host network, are encapsulated within another packet and then transported through the network. While tunneling is often used in a virtual private network, virtual private network, and tunneling are technically not the same, and there are virtual private networks without tunneling. However, tunneling is essential for securing a remote resource as an integral part of most VPN implementations. Without such encrypted tunnels, the traffic to this remote resource would be unencrypted and potentially taped by a malicious third party.

You have full access to this open access chapter, Download chapter PDF

1 Introduction

Tunneling is a technique used to transport data packets over a network. The original data packets, with a protocol not supported by the host network, are encapsulated within another packet and then transported through the network. This technique is helpful for encrypted networks and can be used in virtual private networks (VPNs). Tunneling can be either full, where all network traffic is routed through the tunnel, or split, where only part of the network traffic is routed. The trend in tunneling is shifting from VPN access to a zero trust model, where the focus is on protecting data and ensuring privacy rather than remote access.

2 Analysis

2.1 Definition

To transport data through a network, the data is divided into packets. In tunneling, packets from one network are sent via another network’s connections. The packets are encapsulated within packets and then transported by the second network [1]. This means that data with a protocol not supported by a given network can be sent over that network. In tunneling, the original packet is encapsulated inside another packet (see Fig. 26.1).

An illustration of the packets. It consists of packets A and B with header and destination. Packet B is encapsulated inside packet A with its payload. The header includes a destination with the protocol. — **Fig. 26.1**

There are two types of tunnels:

In full tunneling all network traffic goes through the tunnel [2].
In split tunneling, only part of the network traffic is routed through the tunnel. This allows the user or device to simultaneously access resources in different networks [3].

Tunneling is very useful in encrypted networks. To create an encrypted tunnel, a network packet, including the header, is completely encrypted and encapsulated as a payload inside another packet for transport across a network. The payload is decrypted at the destination, and the original packet is restored.

While tunneling is often used in virtual private networks^{Footnote 1} (VPNs), VPN and tunneling are technically not the same, and there are VPNs without tunneling. E.g., the VPN implementation, IPsec supports transport modes where not the complete packets are encrypted and encapsulated. Instead, the packet retains its original packets header [5], and only the packet payload is encrypted.

2.2 Trends

The internet protocol version 6 (IPv6) is a replacement for IPv4 that, due to its limited number of available IP address space, will be phased out. However, as there are still IPv4-only networks that do not support IPv6, the tunneling protocol 6in4 [6] allows sending IPv6 packets over an IPv4 network [7].

Another prominent use case of tunnels is VPNs. The global VPN market is expected to grow from US$ 44bn in 2022 to US$ 77.1bn in 2026 [8]. However, at the same time, there is also a shift from VPN access to a zero trust model (e.g., Zero Trust Network Access (ZTNA) and/or Zero Trust Architectures (ZTA)). For example, Google [9] and the US Government [10] both announced shifts from VPN solutions to a zero trust model (See Zero Trust factsheet), and a 2021 study found that 72% of all companies were adopting or planning to adopt zero trust [11].

3 Consequences for Switzerland

There is no Swiss-specific need for tunneling, and the demand is expected to be similar to other industrial countries. The exception is VPN providers. Thanks to the strict Swiss laws regarding data protection and privacy, the two VPN providers VyprVPN and Proton VPN are located in Switzerland. Proton explicitly states: “Weil wir in der Schweiz angesiedelt sind, ist Proton VPN durch einige der strengsten Datenschutzgesetze der Welt geschützt und bleibt ausserhalb der Gerichtsbarkeit der USA und der EU.” [Because we are based in Switzerland, Proton VPN is protected by some of the strictest privacy laws in the world and remains outside the jurisdiction of the US and EU.] [12].

3.1 Implementation Possibilities: Make or Buy

Most tunneling protocols are defined in Request for Comments (RFC) documents (see also below in 2.2 Variations and Recommendation for examples) and then implemented by network equipment or software vendors. For VPNs, the most common closed-source solutions used globally [13] are Cisco VPN, Cisco AnyConnect, Juniper VPN, and Citrix Gateway. There are also two widespread open-source VPN solutions:

OpenVPN [14] is an open-source (GNU GPLv2) VPN system that uses the OpenSSL library to encrypt the data as well as the control channels. It was first released in 2001. The throughput over an OpenVPN tunnel is somewhat limited, but the software runs on any operating system and platform and makes it widely used.
WireGuard [15] is an open source (GNU GPLv2) VPN implementation to be easy to use and with improved performance compared to other VPN implementations and a low attack surface.

3.2 Variation and Recommendation

There are many tunneling protocols in use today; a few are listed below:

GRE Tunneling [16]: Generic Routing Encapsulation (GRE) is a protocol where packets are encapsulated inside other packets. It can connect separate networks and allows protocols on a network that does not support said protocols.
IP-in-IP [17]: Here, IP packets are encapsulated inside other IP packets. There is no encryption, and the encapsulated packets remain unmodified.
SSH tunneling [18]: SSH is typically used for the terminal access of a remote machine, but it can also be used to establish a secure tunnel between two computers.
Point-to-Point Tunneling Protocol (PPTP) [19]: PPTP is an obsolete VPN Protocol that uses a GRE tunnel
Secure Socket Tunneling Protocol (SSTP) [20]: SSTP is a replacement and improvement of PPTP, which encrypts the transfer with SSL/TLS.
Layer 2 Tunneling Protocol (L2TP) [21]: L2TP is a tunnel protocol mainly used in VPNs. It provides a tunnel for Layer 2.^{Footnote 2}
Virtual Extensible Local Area Network (VXLAN) [24]: VXLAN is a network virtualization technique that allows Layer 2 connection over a Layer 3 ^{Footnote 3} network.
IPv6 in IPv4 Tunnel (or IPv4 in IPv6 Tunnel): In 6in4, IPv6 packets are encapsulated in IPv4 packets. This allows the transport of IPv6 packets over an IPv4 network. Vice versa is true for the opposite (4in6: IPv4 over an IPv6 network [6]).

4 Conclusion

Tunneling is essential for the secure access of a remote resource as an integral part of most VPN implementations. Without such encrypted tunnels, the traffic to this remote resource would be unencrypted and potentially taped by a malicious third party. In addition, tunneling allows connection networks (e.g., VXLAN) or enables the use of communications protocol on unsupported networks (e.g., 6in4).

Notes

1.
“A virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks” [4].
2.
“Layer 2, also known as the Data Link Layer, is the second level in the seven-layer OSI [Open Systems Interconnection, see [22] reference model for network protocol design” [23].
3.
Layer 3 is the Network Layer and the third level in the seven-layer OSI reference model [25].

References

CSRC Content Editor. tunneling - Glossary | CSRC. https://csrc.nist.gov/glossary/term/tunneling, September 2022.
CSRC Content Editor. Full Tunneling - Glossary | CSRC. https://csrc.nist.gov/glossary/term/full_tunneling, September 2022.
CSRC Content Editor. split tunneling - Glossary | CSRC. https://csrc.nist.gov/glossary/term/split_tunneling, September 2022.
CSRC Content Editor. VPN - Glossary | CSRC. https://csrc.nist.gov/glossary/term/vpn, September 2022.
Juniper Networks. Understanding IPsec VPN Modes. https://www.juniper.net/documentation/en_US/junos-space18.4/topics/concept/junos-space-ipsec-vpn-mode-understanding.html, September 2022.
Steve E. Deering and Alex Conta. Generic Packet Tunneling in IPv6 Specification. Request for Comments RFC 2473, Internet Engineering Task Force, December 1998. Num Pages: 36.
Google Scholar
Robert E. Gilligan and Erik Nordmark. Basic Transition Mechanisms for IPv6 Hosts and Routers. Request for Comments RFC 4213, Internet Engineering Task Force, October 2005. Num Pages: 27.
Google Scholar
Justina Alexandra Sava. VPN market size worldwide 2027. https://www.statista.com/statistics/542817/worldwide-virtual-private-network-market/, September 2022.
Zero Trust and BeyondCorp Google Cloud. https://cloud.google.com/blog/topics/developers-practitioners/zero-trust-and-beyondcorp-google-cloud/, September 2022.
Shalanda D. Young. M-22-09.pdf. https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf, January 2022.
Cybersecurity Insiders. 2021 VPN RISK REPORT. Technical report, September 2022.
Google Scholar
Swiss IT Magazine. VPNs aus der Schweiz im Vergleich. https://www.itmagazine.ch/artikel/77534/VPNs_aus_der_Schweiz_im_Vergleich.html, September 2022.
Top global VPN market share by technology 2021.
Google Scholar
OpenVPN. Business VPN | Next-Gen VPN. https://openvpn.net/, September 2022.
Jason A. Donenfeld. WireGuard: Next Generation Kernel Network Tunnel. In Proceedings 2017 Network and Distributed System Security Symposium, San Diego, CA, 2017. Internet Society.
Google Scholar
Tony Li, Dino Farinacci, Stanley P. Hanks, David Meyer, and Paul S. Traina. Generic Routing Encapsulation (GRE). Request for Comments RFC 2784, Internet Engineering Task Force, March 2000. Num Pages: 9.
Google Scholar
IP in IP Tunneling. Request for Comments RFC 1853, Internet Engineering Task Force, October 1995. Num Pages: 8.
Google Scholar
Berkeley Information Security Office. Securing Network Traffic With SSH Tunnels. https://security.berkeley.edu/education-awareness/securing-network-traffic-ssh-tunnels, September 2022.
Glen Zorn, Gurdeep-Singh Pall, and Kory Hamzeh. Point-to-Point Tunneling Protocol (PPTP). Request for Comments RFC 2637, Internet Engineering Task Force, July 1999. Num Pages: 57.
Google Scholar
[MS-SSTP]: Secure Socket Tunneling Protocol (SSTP). https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/c50ed240-56f3-4309-8e0c-1644898f0ea8, September 2022.
Anew J. Valencia, Glen Zorn, William Palter, Gurdeep-Singh Pall, Mark Townsley, and Allan Rubens. Layer Two Tunneling Protocol “L2TP”. Request for Comments RFC 2661, Internet Engineering Task Force, August 1999. Num Pages: 80.
Google Scholar
ITU. X.225: Information technology – Open Systems Interconnection – Connection-oriented Session protocol: Protocol specification. https://www.itu.int/rec/T-REC-X.225-199511-I/en, September 2022.
Juniper Networks. Layer 2 Networking. https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-map/layer-2-understanding.html, September 2022.
Juniper. What is VXLAN? https://www.juniper.net/us/en/research-topics/what-is-vxlan.html.
What is Network layer? - Definition from WhatIs.com. https://www.techtarget.com/searchnetworking/definition/Network-layer, September 2022. SearchNetworking.

Download references

Author information

Authors and Affiliations

Eraneos Switzerland AG, Zurich, Switzerland
Weyde Lin

Authors

Weyde Lin
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Weyde Lin .

Editor information

Editors and Affiliations

Cyber-Defence Campus, armasuisse Science and Technology, Thun, Switzerland
Valentin Mulder
Cyber-Defence Campus, armasuisse Science and Technology, Thun, Switzerland
Alain Mermoud
Cyber-Defence Campus, armasuisse Science and Technology, Thun, Switzerland
Vincent Lenders
Cyber-Defence Campus, armasuisse Science and Technology, Thun, Switzerland
Bernhard Tellenbach

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Lin, W. (2023). Tunneling and VPN. In: Mulder, V., Mermoud, A., Lenders, V., Tellenbach, B. (eds) Trends in Data Protection and Encryption Technologies . Springer, Cham. https://doi.org/10.1007/978-3-031-33386-6_26

Download citation

DOI: https://doi.org/10.1007/978-3-031-33386-6_26
Published: 27 April 2023
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33385-9
Online ISBN: 978-3-031-33386-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics