Secure Socket Tunneling Protocol
Encyclopedia
Secure Socket Tunneling Protocol (SSTP) is a form of VPN
tunnel that provides a mechanism to transport PPP
or L2TP traffic through an SSL
3.0 channel. SSL provides transport-level security with key-negotiation, encryption
and traffic integrity checking. The use of SSL over TCP
port 443 allows SSTP to pass through virtually all firewalls
and proxy server
s.
SSTP servers must be authenticated
during the SSL phase. SSTP clients can optionally be authenticated during the SSL phase, and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as EAP-TLS and MS-CHAP
.
SSTP is only available in Windows since version Windows Vista SP1, in RouterOS, and in SEIL since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with Winlogon
or smart card
authentication, remote access policies and the Windows VPN client.
SSTP is only for remote client access, it does not support site-to-site VPN tunnels.
SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem"
Virtual private network
A virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
tunnel that provides a mechanism to transport PPP
Point-to-Point Protocol
In networking, the Point-to-Point Protocol is a data link protocol commonly used in establishing a direct connection between two networking nodes...
or L2TP traffic through an SSL
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
3.0 channel. SSL provides transport-level security with key-negotiation, encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
and traffic integrity checking. The use of SSL over TCP
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
port 443 allows SSTP to pass through virtually all firewalls
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
and proxy server
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
s.
SSTP servers must be authenticated
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
during the SSL phase. SSTP clients can optionally be authenticated during the SSL phase, and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as EAP-TLS and MS-CHAP
MS-CHAP
MS-CHAP is the Microsoft version of the Challenge-handshake authentication protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 and MS-CHAPv2...
.
SSTP is only available in Windows since version Windows Vista SP1, in RouterOS, and in SEIL since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with Winlogon
Winlogon
In computing, Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, and optionally locking the computer when a screensaver is running...
or smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
authentication, remote access policies and the Windows VPN client.
SSTP is only for remote client access, it does not support site-to-site VPN tunnels.
SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem"
Header
The following header structure is common to all types of SSTP packets:| Bit offset | Bits 0–7 | 8–14 | 15 | 16–31 | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | Version | Reserved | C | Length | ||||||||||||||||||||||||||||
| 32+ | Data |
|||||||||||||||||||||||||||||||
- Version (8 bits) – Communicates and negotiates the version of SSTP that is used.
- Reserved (7 bits) – Reserved for future use.
- C (1 bit) – Control bit indicating whether the SSTP packet represents an SSTP control packet or an SSTP data packet. This bit is set if the SSTP packet is a control packet.
- Length (16 bits) – Packet length field, composed of two values: a Reserved portion and a Length portion.
- Reserved (4 bits) – Reserved for future use.
- Length (12 bits) – Contains the length of the entire SSTP packet, including the SSTP header.
- Data (variable) – When Control bit C is set, this field contains an SSTP control message. Otherwise, the data field would contain a higher level protocol. At the moment, this can only be PPPPoint-to-Point ProtocolIn networking, the Point-to-Point Protocol is a data link protocol commonly used in establishing a direct connection between two networking nodes...
.
Control Message
The data field of the SSTP header contains an SSTP control message only when the header's Control bit C is set.| Bit offset | Bits 0–15 | 16–31 | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | Message Type | Attributes Count | ||||||||||||||||||||||||||||||
| 32+ | Attributes |
|||||||||||||||||||||||||||||||
- Message Type (16 bits) – Specifies the type of SSTP control message being communicated. This dictates the number and types of attributes that can be carried in the SSTP control packet.
- Attributes Count (16 bits) – Specifies the number of attributes appended to the SSTP control message.
- Attributes (variable) – Contains a list of attributes associated with the SSTP control message. The number of attributes is specified by the Attributes Count field.