[ENG] VPN: Tunnelling and Security Services
Tunneling refers to the “technology enabling one network to send its data via another network’s connections. Tunneling works by encapsulating a network protocol within packets carried by the second network.

Tunneling refers to the “technology enabling one network to send its data via another network’s connections. Tunneling works by encapsulating a network protocol within packets carried by the second network.” (CNSSI 4009-2015) For example, the tunneling protocol, PPTP, employs GRE to encapsulate payload protocols (e.g., IP, IPX, NetBEUI) and transmit payloads through the delivery protocol, IP.

NIST SP 800-113 defines full and split tunneling as follows:

  • Full tunneling is “a method that causes all network traffic to go through the tunnel to the organization.”
  • Split tunneling is “the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices, and simultaneously, access uncontrolled networks.”
FullSplitTunneling

NIST SP 800-77 Rev. 1 defines transport and tunnel mode as follows:

  • Transport mode is “an IPsec mode that does not create an additional IP header for each protected packet.”
  • Tunnel mode is “an IPsec mode that creates an additional outer IP header for each protected packet.”
IPsecProtocolsandModes

A virtual private network (VPN) connects private networks as a whole over public networks using tunneling protocols and providing security services (e.g., authentication, key exchange, encryption, data integrity, and authenticity of data origin). L2F, PPTP, L2TP, and SSTP are examples of tunneling protocols used in VPN.

  • L2F provides no security services;
  • PPTP encapsulates PPP packets using GRE and encrypts traffic using MPPE;
  • L2TP typically partners with AH or ESP in IPsec (L2TP/IPsec) to enforce security;
  • SSTP transports PPP traffic through an SSL/TLS channel
VPN