Secure Socket Tunneling Protocol

Secure Socket Tunneling Protocol (SSTP) is a form of virtual private network (VPN) tunnel that provides a mechanism to transport PPP traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking. The use of SSL/TLS over TCP port 443 (by default; port can be changed) allows SSTP to pass through virtually all firewalls and proxy servers except for authenticated web proxies.^[1]

SSTP servers must be

EAP-TLS and MS-CHAP

.

SSTP is available for

Windows.^[2]

SSTP is available on

Windows Azure for Point-to-Site Virtual Network.^[4]

SSTP is intended only for remote client access, it generally does not support site-to-site VPN tunnels.[5]

SSTP suffers from the same performance limitations as any other IP-over-TCP tunnel. In general, performance will be acceptable only as long as there is sufficient excess bandwidth on the un-tunneled network link to guarantee that the tunneled TCP timers do not expire. If this becomes untrue, performance falls off dramatically. This is known as the "TCP meltdown problem".^[6]^[7]

SSTP supports user authentication only; it does not support device authentication or computer authentication.

Packet structure

The following header structure is common to all types of SSTP packets:^[8]

SSTP header
Bit offset	Bits 0–7								8–14							15	16–31
0	Version								Reserved							C	Length
32+	Data

Version (8 bits) – communicates and negotiates the version of SSTP that is used.
Reserved (7 bits) – reserved for future use.
C (1 bit) – control bit indicating whether the SSTP packet represents an SSTP control packet or an SSTP data packet. This bit is set if the SSTP packet is a control packet.
Length (16 bits) – packet length field, composed of two values: a Reserved portion and a Length portion.

Reserved (4 bits) – reserved for future use.
Length (12 bits) – contains the length of the entire SSTP packet, including the SSTP header.

Data (variable) – when control bit C is set, this field contains an SSTP control message. Otherwise, the data field would contain a higher-level protocol. At the moment, this can only be PPP.

Control message

The data field of the SSTP header contains an SSTP control message only when the header's Control bit C is set.

SSTP control message
Bit offset	Bits 0–15																16–31
0	Message type																Attributes count
32+	Attributes

Message type (16 bits) – specifies the type of SSTP control message being communicated. This dictates the number and types of attributes that can be carried in the SSTP control packet.
Attributes count (16 bits) – specifies the number of attributes appended to the SSTP control message.
Attributes (variable) – contains a list of attributes associated with the SSTP control message. The number of attributes is specified by the Attributes count field.

References

^ Jain, Samir (2007-01-17). "SSTP FAQ - Part 2: Client Specific". Microsoft TechNet. Retrieved 2015-10-17.
^ "SSTP-Client". 2011-09-17. Retrieved 2015-10-17.
^ Tulloch, Mitch (2008-01-22). "SSTP Makes Secure Remote Access Easier". Retrieved 2015-10-17.
^ McGuire, Cheryl (2015-08-11). "Configure a point-to-site VPN connection to an Azure Virtual Network". Retrieved 2015-10-17.
^ Jain, Samir (2007-01-10). "SSTP FAQ - Part 1: Generic". TechNet Blogs. Archived from the original on 2010-10-12.
^ Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Idea". Retrieved 2015-10-17.
S2CID 8945952
.

^ "MS-SSTP: Secure Socket Tunneling Protocol (SSTP)". Microsoft TechNet. 2015-10-16. Retrieved 2015-10-17.

External links

[MS-SSTP]: Secure Socket Tunneling Protocol (SSTP) by Microsoft Open Specification Promise

RRAS Technet Blog

Microsoft develops new tunneling protocol

How SSTP based VPN connection works

HSC's SSTP Client for Linux

SSTP Client for Linux

v
t
e
Virtual private networking
Communication protocols

DTLS

DirectAccess

EVPN

IPsec

L2F

L2TP

L2TPv3

PPTP

SSTP

Split tunneling

SSL/TLS

(Opportunistic: tcpcrypt)

Connection applications

FreeLAN

FreeS/WAN

Libreswan

n2n

OpenConnect

OpenIKED

Openswan

OpenVPN

Social VPN

SoftEther VPN

strongSwan

tcpcrypt

tinc

VTun

WireGuard

Shadowsocks

Enterprise software

Avast SecureLine VPN

Check Point VPN-1

LogMeIn Hamachi

Risk vectors

Content-control software

Deep content inspection

Deep packet inspection

IP address blocking

Network enumeration

Stateful firewall

TCP reset attack

VPN blocking

VPN Services
Avast

HMA

SecureLine

Kape Technologies

CyberGhost

ExpressVPN

Private Internet Access

Zenmate

McAfee

TunnelBear

Tesonet

NordVPN

NordLayer

Surfshark

Ziff Davis

IPVanish

StrongVPN

Hola

IVPN

Mozilla VPN

Mullvad

PrivadoVPN

Proton VPN

PureVPN

SaferVPN

Windscribe

Retrieved from "https://en.wikipedia.org/w/index.php?title=Secure_Socket_Tunneling_Protocol&oldid=1177566637"

[1] Jain, Samir (2007-01-17). "SSTP FAQ - Part 2: Client Specific". Microsoft TechNet. Retrieved 2015-10-17.

[2] "SSTP-Client". 2011-09-17. Retrieved 2015-10-17.

[3] Tulloch, Mitch (2008-01-22). "SSTP Makes Secure Remote Access Easier". Retrieved 2015-10-17.

[4] McGuire, Cheryl (2015-08-11). "Configure a point-to-site VPN connection to an Azure Virtual Network". Retrieved 2015-10-17.

[5] Jain, Samir (2007-01-10). "SSTP FAQ - Part 1: Generic". TechNet Blogs. Archived from the original on 2010-10-12.

[6] Titz, Olaf (2001-04-23). "Why TCP Over TCP Is A Bad Idea". Retrieved 2015-10-17.

[7] S2CID 8945952
.

[8] "MS-SSTP: Secure Socket Tunneling Protocol (SSTP)". Microsoft TechNet. 2015-10-16. Retrieved 2015-10-17.

[1]

[2]

[4]

[6]

[7]

[8]

Packet structure

Control message

See also

References

External links