Tunneling vs Regular Encapsulation – Key Differences

protocol-theorytunnel

What are the difference between tunneling (https://en.wikipedia.org/wiki/Tunneling_protocol) and regular encapsulation (e.g. TCP/UDP over IP, HTTP/SSH over TCP)?

Is TCP/UDP over IP considered tunneling?

Is HTTP/SSH over TCP considered tunneling?

Thanks.

Best Answer

Encapsulation is the normal method of using a lower layer mechanism for moving your data. E.g. HTTP is encapsulated by TCP, TCP is encapsulated by IPv4, IPv4 is encapsulated by an Ethernet frame.

Encapsulating backwards or at the same layer - IP in GRE, IP in IPsec, IP in UDP, Ethernet in L2TP, ... is called tunneling. It somewhat ties a knot in your layering model - if you visualize the layers lying cleanly on top of each other, each layer interfacing with and using the layer below for service, tunneling connects layers out of that order.

The most common use for tunneling is to allow you to pass packets/frames across a network that doesn't support the protocol or addressing scheme. You can tunnel private IP address packets across a public IP network, IPv4 over an IPv6 network or vice versa, Ethernet frames across a layer-3 connection, and so on.

Back when IPX was popular, running it across IPsec VPN required nested tunneling. IPsec doesn't support IPX payloads, so inside the IPsec tunnel you had to create an additional PPTP tunnel that could carry IPX traffic. So, the complete chain was IPX-over-PPTP-over-IPsec.

Related Solutions

How to block ssh tunneling traffic

Preventing outbound ssh connections, and thus any tunnels, would require a complete blockade of outbound connections via deep packet inspection. Looking at ports will be 100% useless. You have to look at the actual packet payload to know it's SSH. (this is what websense is doing.)

The only other option is setting up a "proxy" host. Lock down the configuration so the ssh client and server will not allow tunneling, then allow only that machine to make outbound ssh connections -- of course, this includes securing the system as well, otherwise people can run whatever ssh software they want.

Ethernet – the difference between Ethernet II and 802.3 Ethernet

802.3 (which uses 802.2 LLC format) has a Length field in the same place that Ethernet II has a Type field.

IEEE 802.3 with 802.2 LLC (used by Spanning-Tree, ISIS) use the highlighted bytes for a Length field. 802.3 Upper-layer protocols are decoded via the 802.2 LLC Header / SNAP bytes. The SNAP bytes are used to decode protocols using traditional ethertype values; SNAP is only included when the 802.2 LLC DSAP / SSAP = 0xAAAA.

    +----+----+------+------+------+------+-----+
    | DA | SA | Len  | LLC  | SNAP | Data | FCS |
    +----+----+------+------+------+------+-----+
              ^^^^^^^^

    DA      Destination MAC Address (6 bytes)
    SA      Source MAC Address      (6 bytes)
    Len     Length of Data field    (2 bytes: <= 0x05DC or 1500 decimal)  <---
    LLC     802.2 LLC Header        (3 bytes)
    SNAP                            (5 bytes)
    Data    Protocol Data           (46 - 1500 bytes)
    FCS     Frame Checksum          (4 bytes)

RFC 894 (commonly known as Ethernet II frames) use these bytes for Type. Upper-layer protocols are decoded via the Type field

    +----+----+------+------+-----+
    | DA | SA | Type | Data | FCS |
    +----+----+------+------+-----+
              ^^^^^^^^

    DA      Destination MAC Address (6 bytes)
    SA      Source MAC Address      (6 bytes)
    Type    Protocol Type           (2 bytes: >= 0x0600 or 1536 decimal)  <---
    Data    Protocol Data           (46 - 1500 bytes)
    FCS     Frame Checksum          (4 bytes)

Best Answer

Related Solutions

How to block ssh tunneling traffic

Ethernet – the difference between Ethernet II and 802.3 Ethernet

Related Topic