Secure Socket Tunneling Protocol

development

SSTP is Microsoft's solution for VPN access with PPP over SSL ( SSL-VPN ). With this procedure, Microsoft hoped to be able to significantly reduce the support queries that arose in connection with IPSec-based VPNs, as these are often blocked by firewalls and routers. Although the process is based on many standards, Microsoft did not seek standardization for SSTP within the framework of the IETF.

The process was primarily developed as a (user) remote access solution for an end-to-site scenario in order to be able to access server and network structures via the well-known port 443 / TCP through firewalls and gateways. Use as a connection between networks, a site-to-site scenario, is not intended by Microsoft; however, possible with a special implementation, for example on routers.

Specifications

The technical specifications of (MS-) SSTP are published as part of the Microsoft Communication Protocol Program (MCPP), which regulates the free provision of technical documents for Microsoft operating systems.

SSTP uses SSL 3.0 and HTTP 1.1 with 64 bit content length encoding and works under both IPv4 and IPv6. MS-CHAPv2 , EAP-MS-CHAPv2, EAP-Smart-card and Protected Extensible Authentication Protocol (PEAP) can be used for PPP authentication . The methods available for SSL are supported as encryption algorithms ( AES , RC4 , 3DES ).

On the server side, Windows Server 2008 or higher ( Windows Server 2008 R2 or Windows Server 2012 ) with the Routing and Remote Access Service (RRAS) installed is required to set up SSTP VPNs . On the client side, SSTP is available from Windows Vista Service Pack 1. An SSTP client for Linux , FreeBSD and Mac OS is available for download from SourceForge . If the protocol selection is set to automatic on the client side, the first connection establishment is attempted in the order PPTP → L2TP → SSTP.

Connection establishment process

1. The client establishes a TCP connection to the server on port 443.
2. The SSL / TLS handshake with the server takes place on this TCP connection (→ see: TLS handshake ). During this phase, the client receives the X.509 server certificate and checks it. If the certificate is not valid, the connection establishment is canceled. There is no client authentication at this point.
3. The client establishes an HTTP session with the server via the SSL / TLS connection. (→ see: HTTP request )
4. The client sends SSTP control packets over the HTTPS session. When the SSTP status is ready on both sides, link-up signaling is carried out to the PPP data link layer on both sides.
5. The PPP connection is established via SSL / TLS and SSTP (→ see: Establishing a PPP connection ). As part of the PPP authentication phase, the client authenticates itself to the server (and, depending on the authentication method, also the server to the client)
6. After the PPP negotiation has been completed, IP interfaces with private IP addresses are created on both sides , via which the client and server then communicate with SSTP.

example

• Suppose the server has the public IP address: 100.100.100.1 and the client has the public IP address: 200.200.200.1.
• After negotiating the PPP connection via SSTP, the server has an additional interface with the IP: 192.168.0.1 and the client an additional interface with the IP: 192.168.0.2.
• The user pings the server from the client with the IP: 192.168.0.1.

1. The ping is sent via IP via PPP via SSTP (with the source address: 192.168.0.2 and the destination address: 192.168.0.1).
2. SSTP sends the request to the SSL layer that performs the encryption, from there via TCP via IP (with the source address: 200.200.200.1 and the destination address: 100.100.100.1) via the public interface.
3. The server receives the request on the public interface and forwards it via IP via TCP to the SSL layer, which carries out the decryption, from there via SSTP via PPP via IP to the destination address: 192.168.0.1.

SSTP packet structure

Header

The following header structure applies to all types of SSTP packets:

• Version (8 bits) - Transmission and negotiation of the SSTP version used.
• Reserved (7 bits) - reserved for future use.
• C (1 bit) - control bit which indicates whether the SSTP packet is an SSTP control packet (1) or an SSTP data packet (0).
• Length (16 bits) - packet length, composed of two values: reserved (4 bits) - reserved for future use and packet length (12 bits) - length of the entire SSTP packet, including the SSTP header.
• Data (variable) - If the control bit C is set, the data field contains a control message. Otherwise the data field contains a higher protocol. Currently only Point-to-Point Protocol (PPP) is possible here.

Control message

The data field of the SSTP header contains an SSTP control message if control bit C is set in the header.

• Message type (16 bits) - determines the type of control message transmitted
• Attribute counter (16 bits) - determines the number of attributes transmitted.
• Attributes (variable) - contains the list of attributes belonging to the SSTP control package. The number of attributes is determined by the attribute counter field.

Web links

• SSTP client for Linux, FreeBSD, MacOS on Sourceforge.net
• MS-SSTP: Secure Socket Tunneling Protocol (SSTP) - PDF (2.5 MB) on microsoft.com
• MS-SSTP: Secure Socket Tunneling Protocol (SSTP) - HTML on msdn
• Götz Güttich, Ulrich Roderer: Workshop: SSTP-VPNs with Windows Server 2008 and newer Windows systems, April 8, 2010, at datacenter-insider.de

Individual evidence

1. ↑ Christophe Alladoum: Analysis Protocol SSTP Microsoft. hsc.fr, July 12, 2011, accessed September 5, 2013 . 
2. ^ ^{A b} John Fontana: Microsoft develops new tunneling protocol SSTP for secure networks, wherever you are. techworld.com, January 22, 2007, accessed September 5, 2013 . 
3. ↑ ^{a b} Samir Jain: SSTP FAQ - Part 1: Generic. blogs.technet.com, January 10, 2007, accessed September 5, 2013 . 
4. ^ Dwight Chestnut: Microsoft Communication Protocol. ehow.com, accessed September 5, 2013 . 
5. ↑ ^{a b} Samir Jain: SSTP FAQ - Part 2: Client Specific. blogs.technet.com, January 17, 2007, accessed September 5, 2013 . 
6. ↑ Cipher Suites in Schannel. msdn , July 16, 2013, accessed September 5, 2013 . 
7. ↑ Sstp-client. SourceForge , accessed September 5, 2013 . 
8. ↑ MS-SSTP Specification on msdn (English).