Secure Socket Tunneling Protocol: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 07:37, 23 April 2015 edit I dream of horses (talk \| contribs) Autopatrolled, Extended confirmed users, Page movers, New page reviewers, Pending changes reviewers, Rollbackers 572,256 edits m Reverted edits by 212.185.199.2 (talk): Violation of external links policy (HG) ← Previous edit		Latest revision as of 03:18, 11 August 2025 edit undo Bender the Bot (talk \| contribs) Bots 1,064,377 edits m HTTP to HTTPS for SourceForge Tag: AWB
(43 intermediate revisions by 37 users not shown)
Line 1: {{short description\|Form of virtual private network tunnel}} {{distinguish\|Simple Symmetric Transport Protocol}} {{Infobox technology standard '''Secure Socket Tunneling Protocol''' (SSTP) is a form of [[Virtual private network\|VPN]] tunnel that provides a mechanism to transport [[Point-to-Point Protocol\|PPP]] or [[Layer 2 Tunneling Protocol\|L2TP]] traffic through an [[Transport Layer Security\|SSL]] 3.0 channel. SSL provides transport-level security with key-negotiation, [[encryption]] and traffic integrity checking. The use of SSL over [[Transmission Control Protocol\|TCP]] port 443 allows SSTP to pass through virtually all [[Firewall (computing)\|firewalls]] and [[proxy server]]s except for authenticated web proxies.<ref>[http://blogs.technet.com/b/rrasblog/archive/2007/01/17/sstp-faq-part-2-client-specific.aspx SSTP FAQ - Part 2: Client Specific]</ref> \| title = SSTP \| long_name = Secure Socket Tunneling Protocol \| image = \| image_size = \| alt = \| caption = \| abbreviation = \| native_name = <!-- Name in local language. If more than one, separate using {{plain list}} --> \| native_name_lang = <!-- ISO 639-1 code e.g. "fr" for French. If more than one, use {{lang}} inside native_name items instead --> \| status = \| year_started = 2007 \| first_published = {{Start date\|2007\|02\|22\|df=y}} \| version = \| version_date = \| preview = \| preview_date = \| organization = [[Microsoft]] \| committee = \| series = \| editors = \| authors = \| base_standards = MS-SSTP \| related_standards = \| predecessor = \| successor = \| ___domain = \| license = \| copyright = \| website = <!-- {{URL\|https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/}} --> }} In [[computer networking]], '''Secure Socket Tunneling Protocol''' ('''SSTP''') is a form of [[virtual private network]] (VPN) tunnel that provides a mechanism to transport [[Point-to-Point Protocol]] (PPP) traffic through an [[Transport Layer Security\|SSL/TLS]] channel. ==Protocol== SSTP servers must be [[authentication\|authenticated]] during the SSL phase. SSTP clients can optionally be authenticated during the SSL phase, and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as [[EAP-TLS]] and [[MS-CHAP]]. SSL/TLS provides transport-level security with key negotiation, [[encryption]] and traffic integrity checking. The use of SSL/TLS over [[Transmission Control Protocol\|TCP]] port 443 (by default; port can be changed) allows SSTP to pass through virtually all [[firewall (computing)\|firewalls]] and [[proxy server]]s except for authenticated web proxies.<ref>{{cite web \| url=http://blogs.technet.com/b/rrasblog/archive/2007/01/17/sstp-faq-part-2-client-specific.aspx \| title=SSTP FAQ - Part 2: Client Specific \| first=Samir \| last=Jain \| date=2007-01-17 \| publisher=[[Microsoft TechNet]] \| accessdate=2015-10-17}}</ref> SSTP servers must be [[authentication\|authenticated]] during the SSL/TLS phase. SSTP clients can optionally be authenticated during the SSL/TLS phase and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as [[EAP-TLS]] and [[MS-CHAP]]. ~~SSTP is available for [[Linux]], [[BSD]], and [[Windows]].<ref>[http://sourceforge.net/projects/sstp-client/ SSTP Client Project]</ref> [[MikroTik]]'s RouterOS also includes an SSTP client and server.~~ SSTP is available for [[Linux]], [[BSD]], and [[Windows]].<ref>{{cite web ~~[[SoftEther VPN]] Server, a cross-platform open-source VPN server, also supports SSTP as one of its multi-protocol capability.~~ \| url=https://sstp-client.sourceforge.net/ \| title=SSTP-Client \| date=2011-09-17 \| accessdate=2015-10-17}}</ref> SSTP was introduced in 2007<ref>{{Cite web \|date=2022-11-04 \|title=[MS-SSTP]: Secure Socket Tunneling Protocol (SSTP) \|url=https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/c50ed240-56f3-4309-8e0c-1644898f0ea8 \|access-date=2024-08-30 \|website=learn.microsoft.com \|language=en-us}}</ref> and available on [[Windows Vista SP1]] and later, in [[MikroTik\|RouterOS]] since version 5.0, and in [[IIJ SEIL\|SEIL]] since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with [[Winlogon]] or [[smart-card]] authentication, remote-access policies and the Windows VPN client.<ref>{{cite web ~~Similar functionality can be obtained by using open-source solutions like [[OpenVPN]].~~ \| url=http://www.biztechmagazine.com/article/2008/01/sstp-makes-secure-remote-access-easier \| title=SSTP Makes Secure Remote Access Easier \| first=Mitch \| last=Tulloch \| date=2008-01-22 \| accessdate=2015-10-17}}</ref> The protocol is also used by [[Windows Azure]] for Point-to-Site Virtual Network.<ref>{{cite web \| url=https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-point-to-site-create/ \| title=Configure a point-to-site VPN connection to an Azure Virtual Network \| first=Cheryl \| last=McGuire \| date=2015-08-11 \| accessdate=2015-10-17}}</ref> SSTP is intended only for remote client access, it generally does not support site-to-site VPN tunnels.<ref>{{cite web \|last=Jain \|first=Samir \|date=2007-01-10 \|title=SSTP FAQ - Part 1: Generic \|url=http://blogs.technet.com/b/rrasblog/archive/2007/01/10/sstp-faq-part-1-generic.aspx \|url-status=dead \|archive-url=https://web.archive.org/web/20101012205841/http://blogs.technet.com/b/rrasblog/archive/2007/01/10/sstp-faq-part-1-generic.aspx \|archive-date=2010-10-12 \|website=TechNet Blogs \|accessdate=}}</ref> For Windows, SSTP is available on [[Windows Vista SP1]] and later, in [[RouterOS]], and in [[IIJ SEIL\|SEIL]] since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with [[Winlogon]] or [[smart card]] authentication, remote access policies and the Windows VPN client.<ref>[http://biztechmagazine.com/article.asp?item_id=377 SSTP Makes Secure Remote Access Easier]</ref> The protocol is also used by [[Windows Azure]] for Point-to-Site Virtual Network.<ref>[http://msdn.microsoft.com/library/windowsazure/dn133792.aspx Configure a Point-to-Site VPN in the Management Portal]</ref> SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically due to the [[TCP meltdown problem]].<ref>{{cite web SSTP was intended only for remote client access, it generally does not support site-to-site VPN tunnels.<ref>[http://blogs.technet.com/rrasblog/archive/2007/01/10/sstp-faq-part-1-generic.aspx SSTP FAQ]</ref> The RouterOS version has no such restrictions. \| url=http://sites.inka.de/bigred/devel/tcp-tcp.html \| title=Why TCP Over TCP Is A Bad Idea \| first=Olaf \| last=Titz \| date=2001-04-23 \| accessdate=2015-10-17}}</ref><ref>{{cite conference \| bibcode=2005SPIE.6011..138H \|title=Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency \|author1=Honda, Osamu \|book-title=Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III \| volume=6011 \| page=60110H \|author2=Ohsaki, Hiroyuki \|author3=Imase, Makoto \|author4=Ishizuka, Mika \|author5=Murayama, Junichi \| s2cid=8945952 \| editor2-first=Sergey I \| editor2-last=Balandin \| editor1-first=Mohammed \| editor1-last=Atiquzzaman \| date=October 2005 \| doi=10.1117/12.630496 }}</ref> SSTP supports user authentication only; it does not support device authentication or computer authentication. SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem"<ref>[http://sites.inka.de/bigred/devel/tcp-tcp.html Why TCP Over TCP Is A Bad Idea]</ref><ref>[http://adsabs.harvard.edu/abs/2005SPIE.6011..138H Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency]</ref> == Packet structure == The following header structure is common to all types of SSTP packets:<ref>~~[http://msdn.microsoft.com/en-us/library/cc247338%28v=prot.10%29.aspx~~{{cite ~~MS-SSTP specification]</ref>~~web \| url=https://technet.microsoft.com/en-us/subscriptions/cc247338.aspx \| title=MS-SSTP: Secure Socket Tunneling Protocol (SSTP) \| date=2015-10-16 \| publisher=Microsoft TechNet \| accessdate=2015-10-17}}</ref> {\| class="wikitable" style="text-align :center" \|+SSTP ~~Header~~header \|- ! ~~colspan="1" width="9%"\|~~ Bit offset !! colspan="8~~" width="22%~~"\| Bits 0–7 !! colspan="7~~" width="19%~~"\| 8–14 !! ~~colspan="1" width="3%"\|~~ 15 !! colspan="16~~" width="44%~~"\| 16–31 \|- ! 0 ~~\| '''0''' \|\| colspan="8"\| Version \|\| colspan="7"\| Reserved \|\| colspan="1"\| C \|\| colspan="16"\| Length~~ \|colspan="8"\| Version \|\|colspan="7"\| Reserved \|\|colspan="1"\| C \|\|colspan="16"\| Length \|- ! 32+ ~~\| '''32+''' \|\| colspan="32"\|  <br />Data<br /> ~~ \| colspan="32"\| Data \|} * Version (8 bits) – communicates and negotiates the version of SSTP that is used. * Reserved (7 bits) – reserved for future use. * C (1 bit) – ~~Control~~control bit indicating whether the SSTP packet represents an SSTP control packet or an SSTP data packet. This bit is set if the SSTP packet is a control packet. * Length (16 bits) – packet length field, composed of two values: a Reserved portion and a Length portion. :* Reserved (4 bits) – reserved for future use. :* Length (12 bits) – contains the length of the entire SSTP packet, including the SSTP header. * Data (variable) – when ~~Control~~control bit C is set, this field contains an SSTP control message. Otherwise, the data field would contain a higher -level protocol. At the moment, this can only be [[Point-to-Point Protocol\|PPP]]. === Control message === Line 43 ⟶ 125: {\| class="wikitable" style="text-align:center" \|+SSTP ~~Control~~control ~~Message~~message \|- ! ~~colspan="1" width="10%"\|~~ Bit offset !! colspan="16~~" width="45%~~"\| Bits 0–15 !! colspan="16~~" width="45%~~"\| 16–31 \|- ! 0 ~~\| '''0''' \|\| colspan="16"\| Message Type \|\| colspan="16"\| Attributes Count~~ \|colspan="16"\| Message type \|\|colspan="16"\| Attributes count \|- !32+ ~~\| '''32+''' \|\| colspan="32"\|  <br />Attributes<br /> ~~ \|colspan="32"\| Attributes \|} * Message ~~Type~~type (16 bits) – specifies the type of SSTP control message being communicated. This dictates the number and types of attributes that can be carried in the SSTP control packet. * Attributes ~~Count~~count (16 bits) – specifies the number of attributes appended to the SSTP control message. * Attributes (variable) – contains a list of attributes associated with the SSTP control message. The number of attributes is specified by the Attributes ~~Count~~count field. ==See also== Line 64 ⟶ 148: * [[PPTP]] * [[SoftEther VPN]], an open-source VPN server program which supports SSTP-VPN protocol. * [[WireGuard]] ==References== Line 69 ⟶ 154: ==External links== [https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/c50ed240-56f3-4309-8e0c-1644898f0ea8 <nowiki>[MS-SSTP]: Secure Socket Tunneling Protocol (SSTP)</nowiki>] by [[Microsoft Open Specification Promise]] [http://blogs.technet.com/rrasblog/archive/tags/SSTP/default.aspx RRAS Technet Blog] [http://www.techworld.com/networking/news/index.cfm?newsID=7814&pagtype=all Microsoft develops new tunneling protocol] [~~http~~https://blogs.technet.microsoft.com/rrasblog~~/archive~~/2007/01/10/how-sstp-based-vpn-connection-works~~.aspx~~/ How SSTP based VPN connection works] [http://wiki.mikrotik.com/wiki/SSTP Configuring SSTP in RouterOS] [http://www.hsc.fr/ressources/outils/sstoper/index.html.en HSC's SSTP Client for Linux] [~~http~~https://sstp-client.sourceforge.net/ SSTP Client for Linux] [http://www.mikrotik.com/software.html RouterOS] {{VPN}}