In the data communications lexicon, a tunnel is a passageway through a network. Tunneling allows a non-native protocol to be transported over a native network.
Tunneling can be performed at a number of levels in the protocol stack and many types of “alien” protocols can be tunneled through a TCP/IP network. The tunneling can take place at the Internet Layer or the Transport Layer. In either case, a tunneling protocol header is added to the native protocol.
Tunneling requires a pair of tunneling routers, one at each end of the tunnel. The addressing employed in the native protocol identifies the other router of the tunneling pair. When the alien protocol exits the native network, all traces of the tunnel are gone. The choice of tunneling protocols will determine the native protocol layer used.
Establishing a Tunnel: Activation Features
The agreements concerning a tunnel extend past the tunneling routers to the host corporate network and the remote network users. The structure of those agreements can be explored during the sequence of tunnel activation. The following steps identify the features of the tunneling agreements.
- Due to traffic generated on a remote LAN (or during router start-up), the remote router initiates contact with a VPN access router. If the routers are provisioned correctly, the remote router is authenticated. Passwords, secure IDs, and calling party identification are all authentication mechanisms. The VPN access router might consult authentication servers within the VPN or in the customer’s network.
- If the authentication is successful, a corporate/user profile is retrieved for the remote user. This profile identifies the protocols, tunnel destination, and possibly the attributes the tunneling routers will employ.
- Once the profile is determined and the tunnel destination is known, the actual tunnel is created. In the accompanying visual, the tunnel begins at the remote router and includes the VPN access router. Another option is to form a tunnel from the VPN access router to the corporate VPN router, transparent to the remote and corporate routers. In either case, the tunnel is established, and all mechanisms are in place to pass traffic from the remote locations to the corporate network. At this point, encryption and account features are also activated.
Finally, end-to-end (user-to-network) communications are possible. Now, user authentication might take place allowing the users to access the corporate network resources. From the remote users’ perspective, the tunnel and the VPN routers are transparent.