This blog post introduces the concept of tunneling.
Tunneling is when we enable anonymous and secure communications between clients and servers through intermediary servers. In this article, we will cover several methods of tunneling and their use cases.
TCP Tunneling
TCP tunneling is when requests are encapsulated within a TCP connection. The outer TCP connection is sent to the intermediary server, which decapsulates the request sent through the outer TCP connection and forwards it to the destination server. The intermediary server also encapsulates the response from the destination server and sends it back through the outer TCP connection.
By utilizing the tunnel, firewalls and ISP proxies can be deceived into thinking that the client is only communicating with the intermediary server, allowing clients to access blocked services on a remote network. Specifically, TCP tunneling can be used for establishing local port forwarding tunnels, where the local port acts as the entrance to the tunnel connecting to the blocked service, and reverse port forwarding tunnels, where the server sets up a tunnel to expose services running locally.
Moreover, TCP tunneling can be used for SOCKS proxy tunneling or dynamic port tunneling, where all the network connections made from the client go through a remote server that makes requests to the destination server on behalf of the client. SOCKS is a layer 5 protocol that can support any layer 5+ protocol that uses TCP (SOCKS5 also supports UDP), such as HTTP and SSH. A SOCKS proxy can be set up as a tunnel to make any type of request using any higher-level protocol. Unlike local port forwarding, SOCKS proxies allow you to specify any destination directly.
TCP Meltdown
While TCP tunneling may seem to work flawlessly at first glance, it has difficulties with congestion control and ordering mechanisms when one TCP connection is encapsulated inside another—a situation called TCP-over-TCP tunneling. TCP assumes that the underlying protocol is unreliable and does not guarantee packet order when setting up congestion control. This causes two TCP connections to interfere with each other, leading to a phenomenon called TCP meltdown.
The example above illustrates TCP meltdown. Ideally, packets are decapsulated and encapsulated, just like packet #1. However, it is unavoidable that some packets, like packet #2, may be lost. When this happens, both the inner and outer TCP algorithms react, causing the client to unnecessarily resend the packet twice. This reaction causes a cascading effect on subsequent packets, such as #3, worsening with more failures. For this reason, TCP-over-TCP tunneling is typically in VPNs, etc. (VPNs often use TCP on UDP, but details are beyond the scope of this article.)
SSH Tunneling
SSH tunneling uses a public SSH server to establish local and remote port forwarding, allowing access to a remote server or making a remote server publicly available. However, SSH servers generally do not suffer from TCP meltdown because they often make requests on behalf of the client rather than encapsulating them. Additionally, SSH provides encryption and authentication (as described in the article Network Engineering #6 - SSH), making tunneling generally more secure.
HTTP CONNECT
HTTP CONNECT is an HTTP method that directs the proxy to establish an end-to-end TCP connection between the client and the server. Once the connection is established, the proxy automatically relays packets between the client and the server, effectively creating an HTTP tunnel. The TLS handshake is also end-to-end, unlike TLS forward proxies, which perform two handshakes to generate two separate secrets. This method is secure and efficient, though some advanced load balancing features are unavailable. HTTP CONNECT also supports protocols that require end-to-end communication, such as WebSockets that are not usually available in HTTP proxies.
Conclusion
In this article, we covered how TCP tunneling works, what it's used for, and how it poses a risk of TCP meltdown when TCP-over-TCP tunneling is established. We also discussed how SSH tunneling can achieve the same objectives without TCP meltdown while providing encryption and authentication. Finally, we covered HTTP CONNECT, a method that creates an HTTP tunnel and enables end-to-end communication between a client and server. There are many other topics we did not cover (such as SMTP, SOCKS, IPSec, VPNs, etc.), but I hope this article and this series have given you a better understanding of tunneling and the basics of networking.
Resources
- Computerphile. 2020. TCP Meltdown - Computerphile. YouTube.
- Nasser, H. 2019. TCP Tunneling Applications Pros and Cons (Explained by Example). YouTube.
- Nasser, H. 2020. SSH Tunneling - Local & Remote Port Forwarding (by Example). YouTube.
- Nasser, H. 2021. How HTTP Tunneling works, The CONNECT method, Pros & Cons and more. YouTube.