Abstract
Tunneling is a technique used to transport data packets over a network. The original data packets, with a protocol not supported by the host network, are encapsulated within another packet and then transported through the network. While tunneling is often used in a virtual private network, virtual private network, and tunneling are technically not the same, and there are virtual private networks without tunneling. However, tunneling is essential for securing a remote resource as an integral part of most VPN implementations. Without such encrypted tunnels, the traffic to this remote resource would be unencrypted and potentially taped by a malicious third party.
You have full access to this open access chapter, Download chapter PDF
1 Introduction
Tunneling is a technique used to transport data packets over a network. The original data packets, with a protocol not supported by the host network, are encapsulated within another packet and then transported through the network. This technique is helpful for encrypted networks and can be used in virtual private networks (VPNs). Tunneling can be either full, where all network traffic is routed through the tunnel, or split, where only part of the network traffic is routed. The trend in tunneling is shifting from VPN access to a zero trust model, where the focus is on protecting data and ensuring privacy rather than remote access.
2 Analysis
2.1 Definition
To transport data through a network, the data is divided into packets. In tunneling, packets from one network are sent via another network’s connections. The packets are encapsulated within packets and then transported by the second network [1]. This means that data with a protocol not supported by a given network can be sent over that network. In tunneling, the original packet is encapsulated inside another packet (see Fig. 26.1).
There are two types of tunnels:
-
In full tunneling all network traffic goes through the tunnel [2].
-
In split tunneling, only part of the network traffic is routed through the tunnel. This allows the user or device to simultaneously access resources in different networks [3].
Tunneling is very useful in encrypted networks. To create an encrypted tunnel, a network packet, including the header, is completely encrypted and encapsulated as a payload inside another packet for transport across a network. The payload is decrypted at the destination, and the original packet is restored.
While tunneling is often used in virtual private networksFootnote 1 (VPNs), VPN and tunneling are technically not the same, and there are VPNs without tunneling. E.g., the VPN implementation, IPsec supports transport modes where not the complete packets are encrypted and encapsulated. Instead, the packet retains its original packets header [5], and only the packet payload is encrypted.
2.2 Trends
The internet protocol version 6 (IPv6) is a replacement for IPv4 that, due to its limited number of available IP address space, will be phased out. However, as there are still IPv4-only networks that do not support IPv6, the tunneling protocol 6in4 [6] allows sending IPv6 packets over an IPv4 network [7].
Another prominent use case of tunnels is VPNs. The global VPN market is expected to grow from US$ 44bn in 2022 to US$ 77.1bn in 2026 [8]. However, at the same time, there is also a shift from VPN access to a zero trust model (e.g., Zero Trust Network Access (ZTNA) and/or Zero Trust Architectures (ZTA)). For example, Google [9] and the US Government [10] both announced shifts from VPN solutions to a zero trust model (See Zero Trust factsheet), and a 2021 study found that 72% of all companies were adopting or planning to adopt zero trust [11].
3 Consequences for Switzerland
There is no Swiss-specific need for tunneling, and the demand is expected to be similar to other industrial countries. The exception is VPN providers. Thanks to the strict Swiss laws regarding data protection and privacy, the two VPN providers VyprVPN and Proton VPN are located in Switzerland. Proton explicitly states: “Weil wir in der Schweiz angesiedelt sind, ist Proton VPN durch einige der strengsten Datenschutzgesetze der Welt geschützt und bleibt ausserhalb der Gerichtsbarkeit der USA und der EU.” [Because we are based in Switzerland, Proton VPN is protected by some of the strictest privacy laws in the world and remains outside the jurisdiction of the US and EU.] [12].
3.1 Implementation Possibilities: Make or Buy
Most tunneling protocols are defined in Request for Comments (RFC) documents (see also below in 2.2 Variations and Recommendation for examples) and then implemented by network equipment or software vendors. For VPNs, the most common closed-source solutions used globally [13] are Cisco VPN, Cisco AnyConnect, Juniper VPN, and Citrix Gateway. There are also two widespread open-source VPN solutions:
-
OpenVPN [14] is an open-source (GNU GPLv2) VPN system that uses the OpenSSL library to encrypt the data as well as the control channels. It was first released in 2001. The throughput over an OpenVPN tunnel is somewhat limited, but the software runs on any operating system and platform and makes it widely used.
-
WireGuard [15] is an open source (GNU GPLv2) VPN implementation to be easy to use and with improved performance compared to other VPN implementations and a low attack surface.
3.2 Variation and Recommendation
There are many tunneling protocols in use today; a few are listed below:
-
GRE Tunneling [16]: Generic Routing Encapsulation (GRE) is a protocol where packets are encapsulated inside other packets. It can connect separate networks and allows protocols on a network that does not support said protocols.
-
IP-in-IP [17]: Here, IP packets are encapsulated inside other IP packets. There is no encryption, and the encapsulated packets remain unmodified.
-
SSH tunneling [18]: SSH is typically used for the terminal access of a remote machine, but it can also be used to establish a secure tunnel between two computers.
-
Point-to-Point Tunneling Protocol (PPTP) [19]: PPTP is an obsolete VPN Protocol that uses a GRE tunnel
-
Secure Socket Tunneling Protocol (SSTP) [20]: SSTP is a replacement and improvement of PPTP, which encrypts the transfer with SSL/TLS.
-
Layer 2 Tunneling Protocol (L2TP) [21]: L2TP is a tunnel protocol mainly used in VPNs. It provides a tunnel for Layer 2.Footnote 2
-
Virtual Extensible Local Area Network (VXLAN) [24]: VXLAN is a network virtualization technique that allows Layer 2 connection over a Layer 3 Footnote 3 network.
-
IPv6 in IPv4 Tunnel (or IPv4 in IPv6 Tunnel): In 6in4, IPv6 packets are encapsulated in IPv4 packets. This allows the transport of IPv6 packets over an IPv4 network. Vice versa is true for the opposite (4in6: IPv4 over an IPv6 network [6]).
4 Conclusion
Tunneling is essential for the secure access of a remote resource as an integral part of most VPN implementations. Without such encrypted tunnels, the traffic to this remote resource would be unencrypted and potentially taped by a malicious third party. In addition, tunneling allows connection networks (e.g., VXLAN) or enables the use of communications protocol on unsupported networks (e.g., 6in4).
Notes
References
CSRC Content Editor. tunneling - Glossary | CSRC. https://csrc.nist.gov/glossary/term/tunneling, September 2022.
CSRC Content Editor. Full Tunneling - Glossary | CSRC. https://csrc.nist.gov/glossary/term/full_tunneling, September 2022.
CSRC Content Editor. split tunneling - Glossary | CSRC. https://csrc.nist.gov/glossary/term/split_tunneling, September 2022.
CSRC Content Editor. VPN - Glossary | CSRC. https://csrc.nist.gov/glossary/term/vpn, September 2022.
Juniper Networks. Understanding IPsec VPN Modes. https://www.juniper.net/documentation/en_US/junos-space18.4/topics/concept/junos-space-ipsec-vpn-mode-understanding.html, September 2022.
Steve E. Deering and Alex Conta. Generic Packet Tunneling in IPv6 Specification. Request for Comments RFC 2473, Internet Engineering Task Force, December 1998. Num Pages: 36.
Robert E. Gilligan and Erik Nordmark. Basic Transition Mechanisms for IPv6 Hosts and Routers. Request for Comments RFC 4213, Internet Engineering Task Force, October 2005. Num Pages: 27.
Justina Alexandra Sava. VPN market size worldwide 2027. https://www.statista.com/statistics/542817/worldwide-virtual-private-network-market/, September 2022.
Zero Trust and BeyondCorp Google Cloud. https://cloud.google.com/blog/topics/developers-practitioners/zero-trust-and-beyondcorp-google-cloud/, September 2022.
Shalanda D. Young. M-22-09.pdf. https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf, January 2022.
Cybersecurity Insiders. 2021 VPN RISK REPORT. Technical report, September 2022.
Swiss IT Magazine. VPNs aus der Schweiz im Vergleich. https://www.itmagazine.ch/artikel/77534/VPNs_aus_der_Schweiz_im_Vergleich.html, September 2022.
Top global VPN market share by technology 2021.
OpenVPN. Business VPN | Next-Gen VPN. https://openvpn.net/, September 2022.
Jason A. Donenfeld. WireGuard: Next Generation Kernel Network Tunnel. In Proceedings 2017 Network and Distributed System Security Symposium, San Diego, CA, 2017. Internet Society.
Tony Li, Dino Farinacci, Stanley P. Hanks, David Meyer, and Paul S. Traina. Generic Routing Encapsulation (GRE). Request for Comments RFC 2784, Internet Engineering Task Force, March 2000. Num Pages: 9.
IP in IP Tunneling. Request for Comments RFC 1853, Internet Engineering Task Force, October 1995. Num Pages: 8.
Berkeley Information Security Office. Securing Network Traffic With SSH Tunnels. https://security.berkeley.edu/education-awareness/securing-network-traffic-ssh-tunnels, September 2022.
Glen Zorn, Gurdeep-Singh Pall, and Kory Hamzeh. Point-to-Point Tunneling Protocol (PPTP). Request for Comments RFC 2637, Internet Engineering Task Force, July 1999. Num Pages: 57.
[MS-SSTP]: Secure Socket Tunneling Protocol (SSTP). https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/c50ed240-56f3-4309-8e0c-1644898f0ea8, September 2022.
Anew J. Valencia, Glen Zorn, William Palter, Gurdeep-Singh Pall, Mark Townsley, and Allan Rubens. Layer Two Tunneling Protocol “L2TP”. Request for Comments RFC 2661, Internet Engineering Task Force, August 1999. Num Pages: 80.
ITU. X.225: Information technology – Open Systems Interconnection – Connection-oriented Session protocol: Protocol specification. https://www.itu.int/rec/T-REC-X.225-199511-I/en, September 2022.
Juniper Networks. Layer 2 Networking. https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-map/layer-2-understanding.html, September 2022.
Juniper. What is VXLAN? https://www.juniper.net/us/en/research-topics/what-is-vxlan.html.
What is Network layer? - Definition from WhatIs.com. https://www.techtarget.com/searchnetworking/definition/Network-layer, September 2022. SearchNetworking.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this chapter
Cite this chapter
Lin, W. (2023). Tunneling and VPN. In: Mulder, V., Mermoud, A., Lenders, V., Tellenbach, B. (eds) Trends in Data Protection and Encryption Technologies . Springer, Cham. https://doi.org/10.1007/978-3-031-33386-6_26
Download citation
DOI: https://doi.org/10.1007/978-3-031-33386-6_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33385-9
Online ISBN: 978-3-031-33386-6
eBook Packages: Computer ScienceComputer Science (R0)