Secure Socket Tunneling Protocol
| Title | SSTP |
| Long Name | Secure Socket Tunneling Protocol |
| Year Started | 2007 |
| First Published | 2007-02-22 |
| Organization | Microsoft |
| Base Standards | MS-SSTP |
In computer networking, Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport Point-to-Point Protocol (PPP) traffic through an SSL/TLS channel.
Protocol
SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The use of SSL/TLS over TCP port 443 (by default; port can be changed) allows SSTP to pass through virtually all firewalls and proxy servers except for authenticated web proxies.
SSTP servers must be authenticated during the SSL/TLS phase. SSTP clients can optionally be authenticated during the SSL/TLS phase and must be authenticated in the PPP phase. The use of PPP allows support for common authentication methods, such as EAP-TLS and MS-CHAP.
SSTP is available for Linux, BSD, and Windows.
SSTP was introduced in 2007 and available on Windows Vista SP1 and later, in RouterOS since version 5.0, and in SEIL since its firmware version 3.50. It is fully integrated with the RRAS architecture in these operating systems, allowing its use with Winlogon or smart-card authentication, remote-access policies and the Windows VPN client. The protocol is also used by Windows Azure for Point-to-Site Virtual Network.
SSTP is intended only for remote client access, it generally does not support site-to-site VPN tunnels.
SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically due to the TCP meltdown problem.
SSTP supports user authentication only; it does not support device authentication or computer authentication.
Packet structure
The following header structure is common to all types of SSTP packets:
| Bit offset | Bits 0–7 | 8–14 | 15 | 16–31 | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | Version | Reserved | C | Length | ||||||||||||||||||||||||||||
| 32+ | Data | |||||||||||||||||||||||||||||||
- Version (8 bits) – communicates and negotiates the version of SSTP that is used.
- Reserved (7 bits) – reserved for future use.
- C (1 bit) – control bit indicating whether the SSTP packet represents an SSTP control packet or an SSTP data packet. This bit is set if the SSTP packet is a control packet.
- Length (16 bits) – packet length field, composed of two values: a Reserved portion and a Length portion.
- Reserved (4 bits) – reserved for future use.
- Length (12 bits) – contains the length of the entire SSTP packet, including the SSTP header.
- Data (variable) – when control bit C is set, this field contains an SSTP control message. Otherwise, the data field would contain a higher-level protocol. At the moment, this can only be PPP.
Control message
The data field of the SSTP header contains an SSTP control message only when the header's Control bit C is set.
| Bit offset | Bits 0–15 | 16–31 | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | Message type | Attributes count | ||||||||||||||||||||||||||||||
| 32+ | Attributes | |||||||||||||||||||||||||||||||
- Message type (16 bits) – specifies the type of SSTP control message being communicated. This dictates the number and types of attributes that can be carried in the SSTP control packet.
- Attributes count (16 bits) – specifies the number of attributes appended to the SSTP control message.
- Attributes (variable) – contains a list of attributes associated with the SSTP control message. The number of attributes is specified by the Attributes count field.
See also
- AuthIP
- L2TP/IPsec
- HTTPS
- OpenVPN
- OpenConnect VPN
- PPTP
- SoftEther VPN, an open-source VPN server program which supports SSTP-VPN protocol.
- WireGuard
References
- SSTP FAQ - Part 2: Client Specific, Samir, Jain, 2007-01-17, Microsoft TechNet, 2015-10-17
- SSTP-Client, 2011-09-17, 2015-10-17
- 2022-11-04, MS-SSTP, : Secure Socket Tunneling Protocol (SSTP), 2024-08-30, learn.microsoft.com, en-us
- SSTP Makes Secure Remote Access Easier, Mitch, Tulloch, 2008-01-22, 2015-10-17
- Configure a point-to-site VPN connection to an Azure Virtual Network, Cheryl, McGuire, 2015-08-11, 2015-10-17
- Jain, Samir, 2007-01-10, SSTP FAQ - Part 1: Generic, dead, 2010-10-12, TechNet Blogs
- Why TCP Over TCP Is A Bad Idea, Olaf, Titz, 2001-04-23, 2015-10-17
- 2005SPIE.6011..138H, Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency, Honda, Osamu, Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III, 6011, Ohsaki, Hiroyuki, Imase, Makoto, Ishizuka, Mika, Murayama, Junichi, 8945952, Sergey I, Balandin, Mohammed, Atiquzzaman, October 2005, 10.1117/12.630496
- MS-SSTP: Secure Socket Tunneling Protocol (SSTP), 2015-10-16, Microsoft TechNet, 2015-10-17
External links
- [MS-SSTP]: Secure Socket Tunneling Protocol (SSTP) by Microsoft Open Specification Promise
- RRAS Technet Blog
- Microsoft develops new tunneling protocol
- How SSTP based VPN connection works
- HSC's SSTP Client for Linux
- SSTP Client for Linux
Category:Network protocols
Category:Tunneling protocols