Secure Socket Tunneling Protocol

Not to be confused with Simple Symmetric Transport Protocol.

Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key-negotiation, encryption and traffic integrity checking. The use of SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers except for authenticated web proxies.[1]

SSTP servers must be authenticated during the SSL/TLS phase. SSTP clients can optionally be authenticated during the SSL/TLS phase, and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as EAP-TLS and MS-CHAP.

SSTP is available for Linux, BSD, and Windows.[2]

SoftEther VPN Server, a cross-platform open-source VPN server, also supports SSTP as one of its multi-protocol capability.

Similar functionality can be obtained by using open-source solutions like OpenVPN, however on Windows a third party client software must be installed due to the lack of native built-in VPN client.

For Windows, SSTP is available on Windows Vista SP1 and later, in RouterOS, and in SEIL since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with Winlogon or smart card authentication, remote access policies and the Windows VPN client.[3] The protocol is also used by Windows Azure for Point-to-Site Virtual Network.[4]

SSTP was intended only for remote client access, it generally does not support site-to-site VPN tunnels.[5]

SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem"[6][7]

Packet structure

The following header structure is common to all types of SSTP packets:[8]

SSTP Header
Bit offset Bits 0–7 8–14 15 16–31
0 Version Reserved C Length
32+  
Data
 
  • Reserved (4 bits) reserved for future use.
  • Length (12 bits) contains the length of the entire SSTP packet, including the SSTP header.

Control message

The data field of the SSTP header contains an SSTP control message only when the header's Control bit C is set.

SSTP Control Message
Bit offset Bits 0–15 16–31
0 Message Type Attributes Count
32+  
Attributes
 

See also

References

  1. Jain, Samir (2007-01-17). "SSTP FAQ - Part 2: Client Specific". Microsoft TechNet. Retrieved 2015-10-17.
  2. "SSTP-Client". 2011-09-17. Retrieved 2015-10-17.
  3. Tulloch, Mitch (2008-01-22). "SSTP Makes Secure Remote Access Easier". Retrieved 2015-10-17.
  4. McGuire, Cheryl (2015-08-11). "Configure a point-to-site VPN connection to an Azure Virtual Network". Retrieved 2015-10-17.
  5. Jain, Samir (2007-01-10). "SSTP FAQ - Part 1: Generic". Retrieved 2015-10-17.
  6. Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Idea". Retrieved 2015-10-17.
  7. Honda, Osamu; Ohsaki, Hiroyuki; Imase, Makoto; Ishizuka, Mika; Murayama, Junichi (October 2005). "Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency". doi:10.1117/12.630496. Retrieved 2015-10-17.
  8. "MS-SSTP: Secure Socket Tunneling Protocol (SSTP)". Microsoft TechNet. 2015-10-16. Retrieved 2015-10-17.

External links

This article is issued from Wikipedia - version of the 9/15/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.