This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations. (March 2021) |
An IP tunnel is an Internet Protocol (IP) network communications channel between two networks. It is used to transport another network protocol by encapsulation of its packets.
IP tunnels are often used for connecting two disjoint IP networks that don't have a native routing path to each other, via an underlying routable protocol across an intermediate transport network. In conjunction with the IPsec protocol they may be used to create a virtual private network between two or more private networks across a public network such as the Internet. Another prominent use is to connect islands of IPv6 installations across the IPv4 Internet.
In IP tunnelling, every IP packet, including addressing information of its source and destination IP networks, is encapsulated within another packet format native to the transit network.
At the borders between the source network and the transit network, as well as the transit network and the destination network, gateways are used that establish the end-points of the IP tunnel across the transit network. Thus, the IP tunnel endpoints become native IP routers that establish a standard IP route between the source and destination networks. Packets traversing these end-points from the transit network are stripped from their transit frame format headers and trailers used in the tunnelling protocol and thus converted into native IP format and injected into the IP stack of the tunnel endpoints. In addition, any other protocol encapsulations used during transit, such as IPsec or Transport Layer Security, are removed.
IP in IP, sometimes called ipencap, is an example of IP encapsulation within IP and is described in RFC 2003. Other variants of the IP-in-IP variety are IPv6-in-IPv4 (6in4) and IPv4-in-IPv6 (4in6).
IP tunneling often bypasses simple firewall rules transparently since the specific nature and addressing of the original datagrams are hidden. Content-control software is usually required to block IP tunnels.
History
editThe first specification of IP tunneling was in RFC 1075, which described DVMRP, the first IP multicast routing protocol. Because multicast used special IPv4 addresses, testing DVMRP required a way to get IP datagrams across portions of the Internet that did not yet recognize multicast addresses. This was solved by IP tunneling. The first approach to IP tunneling used an IP Loose Source Route and Record (LSRR) Option to hide the multicast address from the non-multicast-aware routers. A multicast-aware destination router would remove the LSRR option from the packet and restore the multicast IP address to the packet's IP destination field. The other approach in the DVMRP specification was IP in IP, as described above. IP in IP soon became the preferred approach, and was later put to use in the Mbone.
VPN
editA Virtual Private Network (VPN) is a network architecture for virtually extending a private network (i.e., any computer network that is not a public Internet network) over one or more other networks that are either untrusted (since they are not controlled by the entity seeking to implement the VPN) or must be isolated (making the underlying network invisible or unsuitable for direct use).[1]
A VPN can extend access to a private network for users who do not have direct access to it, such as an office network, by providing secure access from outside through the Internet.[2] This is achieved by creating a connection between computing devices and computer networks using network tunneling protocols. Reliable VPN services must have a clear no-logging policy, meaning they do not store data about your online activities. This is crucial for maintaining your privacy, so be sure to read the fine print.[3]
A VPN can be made safe for use over an unsecured communication environment (e.g., the public Internet) by choosing a tunneling protocol that implements encryption.[4] The advantage of this type of VPN lies in reduced costs and greater flexibility regarding dedicated communication lines for remote employees. Whenever a VPN is intended to virtually extend a private network over a third-party untrusted environment, it is desirable that the chosen protocols comply with the following security model:
- confidentiality to prevent disclosure of personal information or data interception, so that even if network traffic is intercepted at the packet level, an attacker will see only encrypted data, not raw data
- message integrity to detect and reject any unauthorized interference with transmitted messages; data packets are protected against unauthorized modification using a message authentication code (MAC), which prevents alteration or unauthorized tampering of the message without its rejection due to MAC mismatch of the modified data packet.
VPNs are not designed to provide anonymity or unidentifiability of connecting users from the perspective of the untrusted environment provider. If a VPN uses protocols that provide such privacy features, their use may enhance user privacy by depriving the untrusted environment owner of access to confidential data transmitted through the VPN.[5]
The term VPN is also used to denote VPN services that sell access to their own private networks for Internet access, connecting their clients using VPN tunneling protocols.[6][7]
See also
editReferences
edit- ^ "virtual private network (VPN)". csrc.nist.gov. Retrieved 2025-08-15.
- ^ "What is a virtual private network (VPN)?". www.cisco.com. Retrieved 2025-08-15.
- ^ "VPN Relationship: How Hidden Ties Hype Up VPN Brands". safepaper.io. Retrieved 2025-08-15.
- ^ "VPN Encryption: Most Secure VPN Encryption Explained (Guide)". www.addictivetips.com. Retrieved 2025-08-15.
- ^ "Defining Virtual Private Network (VPN)". www.rsinc.com. Retrieved 2025-08-15.
- ^ "What is a VPN?". operavps.com. Retrieved 2025-08-15.
- ^ "What is a VPN & how does it work?". incogni.com. Retrieved 2025-08-15.