隧道协议
穿隧協議是用於描述當一個稱作負載協議的網路協議是封裝在另一種不同的傳送協議中。使用隧道的原因包含在一不相容的傳送網路上攜帶負載,或在不安全網路上提供一個安全路徑。
Tunneling typically contrasts with a layered protocol model such as those of OSI or TCP/IP. The tunnel protocol is usually (but not always) at a higher level than the payload protocol, or at the same level. To understand a particular protocol stack, both the payload and delivery protocol sets must be understood. Protocol encapsulation that is carried out by conventional layered protocols, in accordance with the OSI model or TCP/IP model, for example HTTP over TCP over IP over PPP over a V.92 modem, should not be considered as tunneling.
en:Generic Routing Encapsulation是一種跑在 IP (IP 號碼為 47)的協議,身為網路層上的網路層的例子,通常是用帶有公開位址的 IP 封包來攜帶帶有 RFC 1918 私用位址的 IP 封包來穿越網際網路。在此例上,傳送和負載協議是相容的,但負載位址和傳送網路是不相容的。
In contrast, an IP payload might believe it sees a data link layer delivery when it is carried inside the Layer 2 Tunneling Protocol (L2TP), which appears to the payload mechanism as a protocol of the data link layer. L2TP, however, actually runs over the transport layer using User Datagram Protocol (UDP) over IP. The IP in the delivery protocol could run over any data link protocol from IEEE 802.2 over IEEE 802.3 (i.e., standards-based Ethernet) to the Point-to-Point Protocol (PPP) over a dialup modem link.
穿隧協議可能使用資料加密來傳送不安全的負載協議。
Tunneling protocols may use data encryption to transport insecure payload protocols over a public network such as the Internet thereby providing VPN functionality. IPSec has an end-to-end Transport Mode, but also can be operated in a Tunneling Mode through a trusted security gateway.
網際網路协议套組 |
---|
應用層 |
傳輸層 |
網路層 |
連結層 |
常見穿隧協議
穿隧協議的例子含:
- 基於Datagram:
- IPsec
- GRE (Generic Routing Encapsulation) supports multiple protocols and multiplexing
- en:IP in IP Tunneling [1] Lower overhead than GRE and used when only 1 IP stream is to be tunneled
- L2TP(資料連結層穿隧協議)[2]
- MPLS (Multi-Protocol Label Switching)
- GTP (GPRS Tunnelling Protocol)
- PPTP (Point-to-Point Tunneling Protocol) [3]
- PPPoE (point-to-point protocol over Ethernet)
- PPPoA (point-to-point protocol over ATM)
- en:IEEE 802.1Q (Ethernet VLANs)
- en:DLSw (SNA over 網際網路協議)
- en:XOT (X.25 datagrams over TCP)
- IPv6 穿隧:en:6to4、en:6in4、en:Teredo tunneling
- en:Anything In Anything (AYIYA; e.g. IPv6 over UDP over IPv4, IPv4 over IPv6, IPv6 over TCP IPv4, etc.)
- 基於串流:
- 傳輸層安全
- SSH
- SOCKS
- HTTP CONNECT 命令
- 各式的電路層級的代理伺服器協議,如Microsoft Proxy Server的Winsock Redirection Protocol或WinGate Winsock Redirection Service.
SSH 穿隧
SSH 隧道是一種藉由SSH連線所建立的加密隧道。 SSH 隧道可以用來將明文流量導入隧道中,通過加密頻道。
An SSH tunnel is an encrypted tunnel created through an SSH protocol connection. SSH tunnels may be used to tunnel unencrypted traffic over a network through an encrypted channel. For example, Windows machines can share files using the SMB protocol, which is not encrypted. If you were to mount a Windows filesystem remotely through the Internet, someone snooping on the connection could see your files. To mount the Windows filesystem securely, you can establish an SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself is unencrypted it is secure because it travels through the encrypted SSH channel.
為了建立 SSH 隧道, SSH 客戶端可以設定要轉交一個特定本地埠號到遠端機器上的埠號。一旦 SSH 隧道建立,使用者可以連到指定的本地埠號以存取網路服務。本地埠號不用與遠地埠號一樣。
SSH 隧道提供一個繞過防火牆從而連到某些被禁止的網際網路服務的的方法。例如,一個組織可能會禁止使用者直接存取網頁(埠號 80 )而沒有通過組織的代理伺服器過濾器,如此組織才能監視或控視使用者瀏覧網頁。使用者可能不希望讓他們的網頁流量被組織的代理伺服器過濾器所監控或阻擋。如果使用者能連到一個外部的 SSH 伺服器,對他們而言是有可能建立 SSH 通道,將某個本地端埠號連到以傳送到遠端網頁伺服器的埠號 80 是有可能的。要連到遠端網頁伺服器,使用者可以將他們的網頁瀏覧器指到http://localhost/。
有些 SSH 客戶端支持動態埠傳送,允許使用者建立SOCKS代理伺服器。使用者可以設定他的應用程式去使用他們的區域 SOCKS 代理伺服器。這比建立一個連到單一埠號的 SSH 隧道更有彈性。使用 SOCKS ,使用者可以不被限制只能連到事先定義的埠號和伺服器。
穿隧以規避防火牆政策
穿隧可用來溜過防火牆。一個被防火牆阻擋的協議可被包在另一個沒被防火牆阻擋的協議裡,如超文本傳輸協議。如果防火牆並沒有排除此種包裝,這技巧可用來逃避防火牆政策。
另一種基於 HTTP 的穿隧方法使用超文本傳輸協議的 CONNECT 方法。 客戶端送出 HTTP 的 CONNECT 命令給代理伺服器,代理伺服器會建一個 TCP 連線到特定的 伺服器:埠,並轉送 伺服器:埠 和客戶端連線之間的資料。因為這會製告安全漏洞,容許 CONNECT 的 HTTP 代理伺服器通常會限制 CONNECT 命令。通常只允許基於 TLS/SSL 的 HTTPS 服務。
另見
References
- ^ IP Encapsulation within IP,RFC2003, C. Perkins,October 1996
- ^ Layer Two Tunneling Protocol "L2TP",RFC 2661, W. Townsley et al.,August 1999
- ^ Point-to-Point Tunneling Protocol (PPTP),RFC 2637, K. Hamzeh et al.,July 1999