Secure Socket Tunneling Protocol: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 20:47, 5 June 2016 edit Dcirovic (talk \| contribs) Autopatrolled, Extended confirmed users, Pending changes reviewers, Rollbackers 253,275 edits m →top: refs using AWB ← Previous edit		Latest revision as of 03:18, 11 August 2025 edit undo Bender the Bot (talk \| contribs) Bots 1,064,377 edits m HTTP to HTTPS for SourceForge Tag: AWB
(38 intermediate revisions by 32 users not shown)
Line 1: {{short description\|Form of virtual private network tunnel}} {{distinguish\|Simple Symmetric Transport Protocol}} {{Infobox technology standard '''Secure Socket Tunneling Protocol''' (SSTP) is a form of [[Virtual private network\|VPN]] tunnel that provides a mechanism to transport [[Point-to-Point Protocol\|PPP]] or {{citation needed span\|text=[[Layer 2 Tunneling Protocol\|L2TP]]\|date=May 2016}} traffic through an [[Transport Layer Security\|SSL]]/[[Transport Layer Security\|TLS]] channel. SSL/TLS provides transport-level security with key-negotiation, [[encryption]] and traffic integrity checking. The use of SSL/TLS over [[Transmission Control Protocol\|TCP]] port 443 allows SSTP to pass through virtually all [[Firewall (computing)\|firewalls]] and [[proxy server]]s except for authenticated web proxies.<ref>{{cite web▼ \| title = SSTP \| long_name = Secure Socket Tunneling Protocol \| image = \| image_size = \| alt = \| caption = \| abbreviation = \| native_name = <!-- Name in local language. If more than one, separate using {{plain list}} --> \| native_name_lang = <!-- ISO 639-1 code e.g. "fr" for French. If more than one, use {{lang}} inside native_name items instead --> \| status = \| year_started = 2007 \| first_published = {{Start date\|2007\|02\|22\|df=y}} \| version = \| version_date = \| preview = \| preview_date = \| organization = [[Microsoft]] \| committee = \| series = \| editors = \| authors = \| base_standards = MS-SSTP \| related_standards = \| predecessor = \| successor = \| ___domain = \| license = \| copyright = \| website = <!-- {{URL\|https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/}} --> }} In [[computer networking]], '''Secure Socket Tunneling Protocol''' ('''SSTP''') is a form of [[virtual private network]] (VPN) tunnel that provides a mechanism to transport [[Point-to-Point Protocol]] (PPP) traffic through an [[Transport Layer Security\|SSL/TLS]] channel. ==Protocol== ▲'''Secure Socket Tunneling Protocol''' (SSTP) is a form of [[Virtual private network\|VPN]] tunnel that provides a mechanism to transport [[Point-to-Point Protocol\|PPP]] or {{citation needed span\|text=[[Layer 2 Tunneling Protocol\|L2TP]]\|date=May 2016}} traffic through an [[Transport Layer Security\|SSL]]/[[Transport Layer Security\|TLS]] channel. SSL/TLS provides transport-level security with key- negotiation, [[encryption]] and traffic integrity checking. The use of SSL/TLS over [[Transmission Control Protocol\|TCP]] port 443 (by default; port can be changed) allows SSTP to pass through virtually all [[~~Firewall~~firewall (computing)\|firewalls]] and [[proxy server]]s except for authenticated web proxies.<ref>{{cite web \| url=http://blogs.technet.com/b/rrasblog/archive/2007/01/17/sstp-faq-part-2-client-specific.aspx \| title=SSTP FAQ - Part 2: Client Specific Line 9 ⟶ 44: \| accessdate=2015-10-17}}</ref> SSTP servers must be [[authentication\|authenticated]] during the SSL/TLS phase. SSTP clients can optionally be authenticated during the SSL/TLS phase, and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as [[EAP-TLS]] and [[MS-CHAP]]. SSTP is available for [[Linux]], [[BSD]], and [[Windows]].<ref>{{cite web \| url=~~http~~https://sstp-client.sourceforge.net/ \| title=SSTP-Client \| date=2011-09-17 \| accessdate=2015-10-17}}</ref> ~~[[MikroTik]]'s RouterOS also includes an SSTP client and server.~~ ~~For~~SSTP ~~Windows,~~was introduced in 2007<ref>{{Cite web \|date=2022-11-04 \|title=[MS-SSTP]: isSecure Socket Tunneling Protocol (SSTP) \|url=https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/c50ed240-56f3-4309-8e0c-1644898f0ea8 \|access-date=2024-08-30 \|website=learn.microsoft.com \|language=en-us}}</ref> and available on [[Windows Vista SP1]] and later, in [[MikroTik\|RouterOS]] since version 5.0, and in [[IIJ SEIL\|SEIL]] since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with [[Winlogon]] or [[smart -card]] authentication, remote -access policies and the Windows VPN client.<ref>{{cite web▼ ~~[[SoftEther VPN]] Server, a cross-platform open-source VPN server, also supports SSTP as one of its multi-protocol capability.~~ ~~Similar functionality can be obtained by using open-source solutions like [[OpenVPN]], however on Windows a third party client software must be installed due to the lack of native built-in VPN client.~~ ▲For Windows, SSTP is available on [[Windows Vista SP1]] and later, in [[RouterOS]], and in [[IIJ SEIL\|SEIL]] since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with [[Winlogon]] or [[smart card]] authentication, remote access policies and the Windows VPN client.<ref>{{cite web \| url=http://www.biztechmagazine.com/article/2008/01/sstp-makes-secure-remote-access-easier \| title=SSTP Makes Secure Remote Access Easier Line 35 ⟶ 66: \| accessdate=2015-10-17}}</ref> SSTP ~~was~~is intended only for remote client access, it generally does not support site-to-site VPN tunnels.<ref>{{cite web \|last=Jain \|first=Samir \|date=2007-01-10 \|title=SSTP FAQ - Part 1: Generic \|url=http://blogs.technet.com/b/rrasblog/archive/2007/01/10/sstp-faq-part-1-generic.aspx \|url-status=dead \|archive-url=https://web.archive.org/web/20101012205841/http://blogs.technet.com/b/rrasblog/archive/2007/01/10/sstp-faq-part-1-generic.aspx \|archive-date=2010-10-12 \|website=TechNet Blogs \|accessdate=}}</ref> ~~\| url=http://blogs.technet.com/b/rrasblog/archive/2007/01/10/sstp-faq-part-1-generic.aspx~~ ~~\| title=SSTP FAQ - Part 1: Generic~~ ~~\| date=2007-01-10~~ ~~\| first=Samir~~ ~~\| last=Jain~~ ~~\| accessdate=2015-10-17}}</ref> The RouterOS version has no such restrictions.~~ SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. ~~This~~due ~~is known as~~to the "[[TCP meltdown problem"]].<ref>{{cite web \| url=http://sites.inka.de/bigred/devel/tcp-tcp.html \| title=Why TCP Over TCP Is A Bad Idea Line 49 ⟶ 74: \| last=Titz \| date=2001-04-23 \| accessdate=2015-10-17}}</ref><ref>{{cite ~~web~~conference \| ~~url~~bibcode=~~http://adsabs.harvard.edu/abs/~~2005SPIE.6011..138H \| title=Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency \|author1=Honda, Osamu \|~~author2~~book-title=~~Ohsaki~~Performance, ~~Hiroyuki~~Quality ~~\|author3=Imase~~of Service, ~~Makoto~~and ~~\|author4=Ishizuka,~~Control ~~Mika~~of ~~\|author5=Murayama,~~Next-Generation ~~Junichi~~Communication \|and ~~date=October~~Sensor Networks ~~2005~~III \| volume=6011 \| page=60110H \|author2=Ohsaki, Hiroyuki \|author3=Imase, Makoto \|author4=Ishizuka, Mika \|author5=Murayama, Junichi \| s2cid=8945952 \| editor2-first=Sergey I \| editor2-last=Balandin \| editor1-first=Mohammed \| editor1-last=Atiquzzaman \| date=October 2005 \| doi=10.1117/12.630496 ~~\| accessdate=2015-10-17~~}}</ref> SSTP supports user authentication only; it does not support device authentication or computer authentication. == Packet structure == Line 66 ⟶ 101: {\| class="wikitable" style="text-align :center" \|+SSTP ~~Header~~header \|- ! ~~colspan="1" width="9%"\|~~ Bit offset !! colspan="8~~" width="22%~~"\| Bits 0–7 !! colspan="7~~" width="19%~~"\| 8–14 !! ~~colspan="1" width="3%"\|~~ 15 !! colspan="16~~" width="44%~~"\| 16–31 \|- ! 0 \| ~~'''0''' \|\|~~ colspan="8"\| Version \|\| colspan="7"\| Reserved \|\| colspan="1"\| C \|\| colspan="16"\| Length \|- ! 32+ ~~\| '''32+''' \|\| colspan="32"\|  <br />Data<br /> ~~ \| colspan="32"\| Data \|} * Version (8 bits) – communicates and negotiates the version of SSTP that is used. * Reserved (7 bits) – reserved for future use. * C (1 bit) – ~~Control~~control bit indicating whether the SSTP packet represents an SSTP control packet or an SSTP data packet. This bit is set if the SSTP packet is a control packet. * Length (16 bits) – packet length field, composed of two values: a Reserved portion and a Length portion. :* Reserved (4 bits) – reserved for future use. :* Length (12 bits) – contains the length of the entire SSTP packet, including the SSTP header. * Data (variable) – when ~~Control~~control bit C is set, this field contains an SSTP control message. Otherwise, the data field would contain a higher -level protocol. At the moment, this can only be [[Point-to-Point Protocol\|PPP]]. === Control message === Line 88 ⟶ 125: {\| class="wikitable" style="text-align:center" \|+SSTP ~~Control~~control ~~Message~~message \|- ! ~~colspan="1" width="10%"\|~~ Bit offset !! colspan="16~~" width="45%~~"\| Bits 0–15 !! colspan="16~~" width="45%~~"\| 16–31 \|- ! 0 \| ~~'''0''' \|\|~~ colspan="16"\| Message ~~Type~~type \|\| colspan="16"\| Attributes ~~Count~~count \|- !32+ ~~\| '''32+''' \|\| colspan="32"\|  <br />Attributes<br /> ~~ \|colspan="32"\| Attributes \|} * Message ~~Type~~type (16 bits) – specifies the type of SSTP control message being communicated. This dictates the number and types of attributes that can be carried in the SSTP control packet. * Attributes ~~Count~~count (16 bits) – specifies the number of attributes appended to the SSTP control message. * Attributes (variable) – contains a list of attributes associated with the SSTP control message. The number of attributes is specified by the Attributes ~~Count~~count field. ==See also== Line 109 ⟶ 148: * [[PPTP]] * [[SoftEther VPN]], an open-source VPN server program which supports SSTP-VPN protocol. * [[WireGuard]] ==References== Line 114 ⟶ 154: ==External links== [https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/c50ed240-56f3-4309-8e0c-1644898f0ea8 <nowiki>[MS-SSTP]: Secure Socket Tunneling Protocol (SSTP)</nowiki>] by [[Microsoft Open Specification Promise]] [http://blogs.technet.com/rrasblog/archive/tags/SSTP/default.aspx RRAS Technet Blog] [http://www.techworld.com/networking/news/index.cfm?newsID=7814&pagtype=all Microsoft develops new tunneling protocol] [~~http~~https://blogs.technet.microsoft.com/rrasblog~~/archive~~/2007/01/10/how-sstp-based-vpn-connection-works~~.aspx~~/ How SSTP based VPN connection works] [http://wiki.mikrotik.com/wiki/SSTP Configuring SSTP in RouterOS] [http://www.hsc.fr/ressources/outils/sstoper/index.html.en HSC's SSTP Client for Linux] [~~http~~https://sstp-client.sourceforge.net/ SSTP Client for Linux] [http://www.mikrotik.com/software.html RouterOS] {{VPN}}