Tunneling (from the English. Tunnelling - “tunneling”) in computer networks is a process in which a logical connection is created between two endpoints by encapsulating various protocols. Tunneling is a network building method in which one network protocol is encapsulated in another. Tunneling differs from conventional multi-level network models (such as OSI or TCP / IP ) in that the encapsulated protocol is at the same or lower level than that used as a tunnel.
The essence of tunneling is to "pack" the transmitted portion of data, together with service fields, in the payload area of the packet of the carrier protocol. Tunneling can be applied at the network and application levels. The combination of tunneling and encryption allows for the implementation of closed virtual private networks (VPNs). Tunneling is usually used to negotiate transport protocols or to create a secure connection between network nodes .
Content
- 1 Protocol Types
- 2 Coordination of transport protocols
- 3 Main components of the tunnel
- 4 References
Protocol Types
The following protocol types are involved in the encapsulation (tunneling) process:
- transportable protocol;
- carrying protocol;
- encapsulation protocol.
The transit network protocol is carrier , and the protocol of the interconnected networks is transportable . Packets of the transported protocol are placed in the data field of the packets of the carrier protocol using the encapsulation protocol. Passenger packages are not processed in any way during transit network transit. Encapsulation is performed by an edge device (router or gateway), which is located on the border between the source and transit networks. Removing the packets of the transported protocol from the carrier packets performs the second border device located on the border between the transit network and the destination network. Edge devices indicate their addresses in carrier packets, rather than the addresses of nodes in the destination network.
Harmonization of transport protocols
A tunnel can be used when two networks with the same transport technology must be connected through a network using another transport technology. At the same time, the border routers that connect the combined network to the transit network pack the transport protocol packets of the combined networks into the transport protocol packets of the transit network. The second edge router performs the reverse operation.
Usually, tunneling leads to simpler and faster solutions compared to broadcasting, since it solves a more particular problem, without ensuring interaction with nodes of the transit network.
Main Tunnel Components
The main components of the tunnel are:
- tunnel initiator;
- routed network;
- tunnel switch;
- one or more tunnel terminators.
The tunnel initiator embeds (encapsulates) packets in a new packet containing, along with the source data, a new header with information about the sender and receiver. Although all packets transmitted through the tunnel are IP packets, encapsulated packets can belong to any type of protocol, including non-routable protocol packets. The route between the initiator and the tunnel terminator is determined by a regular routable IP network, which can be a network other than the Internet . The tunnel terminator performs a process that is the opposite of encapsulation — it removes new headers and routes each source packet to a local protocol stack or destination on a local network. Encapsulation alone does not affect the security of message packets transmitted over the VPN tunnel. But encapsulation allows full cryptographic protection of encapsulated packets. Confidentiality of encapsulated packets is ensured by their cryptographic closure, i.e. encryption, and integrity and authenticity are ensured by the formation of a digital signature . Since there are many methods of cryptographic protection of data, it is necessary that the initiator and the terminator of the tunnel use the same methods and can coordinate this information with each other. Moreover, in order to be able to decrypt the data and verify the digital signature upon receipt, the initiator and terminator of the tunnel must support the functions of a secure key exchange. In order for VPN tunnels to be created only between authorized users, the end sides of the interaction must be authenticated.