[MS-IPHTTPS]:
IP over HTTPS (IP-HTTPS) Tunneling Protocol
The IP over HTTPS (IP-HTTPS) Protocol allows for a secure IP tunnel to be established using a secure HTTP connection.
Intellectual Property Rights Notice for Open Specifications Documentation
§ Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies.
§ Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL’s, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications.
§ No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
§ Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft Open Specification Promise or the Community Promise. If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .
§ Trademarks. The names of companies and products contained in this documentation may be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit www.microsoft.com/trademarks.
§ Fictitious Names. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than specifically described above, whether by implication, estoppel, or otherwise.
Tools. The Open Specifications do not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments you are free to take advantage of them. Certain Open Specifications are intended for use in conjunction with publicly available standard specifications and network programming art, and assumes that the reader either is familiar with the aforementioned material or has immediate access to it.
Revision Summary
Date / Revision History / Revision Class / Comments /12/05/2008 / 0.1 / Major / Initial Availability
01/16/2009 / 0.1.1 / Editorial / Revised and edited the technical content.
02/27/2009 / 0.1.2 / Editorial / Revised and edited the technical content.
04/10/2009 / 0.1.3 / Editorial / Revised and edited the technical content.
05/22/2009 / 1.0 / Major / Updated and revised the technical content.
07/02/2009 / 1.0.1 / Editorial / Revised and edited the technical content.
08/14/2009 / 1.0.2 / Editorial / Revised and edited the technical content.
09/25/2009 / 2.0 / Major / Updated and revised the technical content.
11/06/2009 / 3.0 / Major / Updated and revised the technical content.
12/18/2009 / 4.0 / Major / Updated and revised the technical content.
01/29/2010 / 5.0 / Major / Updated and revised the technical content.
03/12/2010 / 5.0.1 / Editorial / Revised and edited the technical content.
04/23/2010 / 5.0.2 / Editorial / Revised and edited the technical content.
06/04/2010 / 5.0.3 / Editorial / Revised and edited the technical content.
07/16/2010 / 5.0.3 / No change / No changes to the meaning, language, or formatting of the technical content.
08/27/2010 / 5.0.3 / No change / No changes to the meaning, language, or formatting of the technical content.
10/08/2010 / 5.0.3 / No change / No changes to the meaning, language, or formatting of the technical content.
11/19/2010 / 5.0.3 / No change / No changes to the meaning, language, or formatting of the technical content.
01/07/2011 / 5.0.3 / No change / No changes to the meaning, language, or formatting of the technical content.
02/11/2011 / 5.0.3 / No change / No changes to the meaning, language, or formatting of the technical content.
03/25/2011 / 5.0.3 / No change / No changes to the meaning, language, or formatting of the technical content.
05/06/2011 / 5.0.3 / No change / No changes to the meaning, language, or formatting of the technical content.
06/17/2011 / 5.1 / Minor / Clarified the meaning of the technical content.
09/23/2011 / 5.1 / No change / No changes to the meaning, language, or formatting of the technical content.
12/16/2011 / 6.0 / Major / Significantly changed the technical content.
03/30/2012 / 6.0 / No change / No changes to the meaning, language, or formatting of the technical content.
07/12/2012 / 7.0 / Major / Significantly changed the technical content.
10/25/2012 / 7.0 / No change / No changes to the meaning, language, or formatting of the technical content.
01/31/2013 / 7.0 / No change / No changes to the meaning, language, or formatting of the technical content.
08/08/2013 / 8.0 / Major / Significantly changed the technical content.
2/2
[MS-IPHTTPS] — v20130722
IP over HTTPS (IP-HTTPS) Tunneling Protocol
Copyright © 2013 Microsoft Corporation.
Release: Monday, July 22, 2013
Contents
1 Introduction 6
1.1 Glossary 6
1.2 References 6
1.2.1 Normative References 6
1.2.2 Informative References 7
1.3 Overview 7
1.4 Relationship to Other Protocols 8
1.5 Prerequisites/Preconditions 9
1.6 Applicability Statement 9
1.7 Versioning and Capability Negotiation 9
1.8 Vendor-Extensible Fields 9
1.9 Standards Assignments 9
2 Messages 10
2.1 Transport 10
2.2 Message Syntax 11
3 Protocol Details 12
3.1 IP-HTTPS Client Details 12
3.1.1 Abstract Data Model 13
3.1.2 Timers 14
3.1.2.1 Reconnect Timer 14
3.1.3 Initialization 15
3.1.4 Higher-Layer Triggered Events 15
3.1.4.1 Enable IP-HTTPS Link 15
3.1.4.2 Disable IP-HTTPS Link 15
3.1.5 Processing Events and Sequencing Rules 15
3.1.5.1 Establishing the HTTPS Connection 15
3.1.5.2 Bringing the IP-HTTPS Link Up 15
3.1.5.3 Data Transfer 16
3.1.5.4 Error Handling 16
3.1.6 Timer Events 16
3.1.7 Other Local Events 16
3.2 IP-HTTPS Server Details 16
3.2.1 Abstract Data Model 16
3.2.2 Timers 17
3.2.3 Initialization 17
3.2.3.1 Entering the Listen State 17
3.2.4 Higher-Layer Triggered Events 17
3.2.4.1 Enable IP-HTTPS Link 17
3.2.4.2 Disable IP-HTTPS Link 17
3.2.5 Processing Events and Sequencing Rules 17
3.2.5.1 Accepting IP-HTTPS Clients 17
3.2.5.2 Data Transfer 18
3.2.5.2.1 Sending a Packet to a Client 18
3.2.5.2.2 Receiving a Packet from a Client 18
3.2.5.3 Error Handling 19
3.2.6 Timer Events 19
3.2.7 Other Local Events 19
3.2.7.1 Changing Authentication Mode 19
3.2.7.2 Client Disconnection 19
3.2.7.3 Shutdown 19
4 Protocol Examples 20
4.1 Packet Flow and Connection Establishment 20
4.2 Attack Scenarios 21
4.2.1 Unauthorized Client Connecting to an IP-HTTPS Server 21
4.2.2 Unauthorized Client Connecting to an IP-HTTPS Server (When Authentication Mode Is Set to Certificates) 21
4.2.3 Unauthorized Client Connecting to an IP-HTTPS Server (When Authentication Mode Is Set to None) 22
4.2.4 Unauthorized IP-HTTPS Server Accepting Connections from a Genuine IP-HTTPS Client 23
4.2.5 Man in the Middle 24
5 Security 25
5.1 Security Considerations for Implementers 25
5.2 Index of Security Parameters 25
6 Appendix A: Product Behavior 26
7 Change Tracking 27
8 Index 29
2/2
[MS-IPHTTPS] — v20130722
IP over HTTPS (IP-HTTPS) Tunneling Protocol
Copyright © 2013 Microsoft Corporation.
Release: Monday, July 22, 2013
1 Introduction
This document specifies the IP over HTTPS (IP-HTTPS) Protocol, a mechanism to transport IPv6 packets on an HTTPS connection.
Sections 1.8, 2, and 3 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in RFC 2119. Sections 1.5 and 1.9 are also normative but cannot contain those terms. All other sections and examples in this specification are informative.
1.1 Glossary
The following terms are defined in [MS-GLOS]:
The following terms are specific to this document:
IP-HTTPS client: A computer that implements the IP over HTTPS (IP-HTTPS) Protocol and that initiates an IP-HTTPS connection to an IP-HTTPS server over TCP port 443.
IP-HTTPS server: A computer that implements the IP over HTTPS (IP-HTTPS) Protocol and listens and accepts IP-HTTPS connections from IP-HTTPS clients over TCP port 443.
IP-HTTPS endpoint: An entity that communicates to an IP-HTTPS client via the IP-HTTPS server.
Uniform Resource Identifier (URI): A resource identifier, which conforms to the rules for Uniform Resource Identifiers as defined in [RFC3986].
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.
1.2 References
References to Microsoft Open Specifications documentation do not include a publishing year because links are to the latest version of the documents, which are updated frequently. References to other documents include a publishing year when one is available.
A reference marked "(Archived)" means that the reference document was either retired and is no longer being maintained or was replaced with a new document that provides current implementation details. We archive our documents online [Windows Protocol].
1.2.1 Normative References
We conduct frequent surveys of the normative references to assure their continued availability. If you have any issue with finding a normative reference, please contact . We will assist you in finding the relevant information. Please check the archive site, http://msdn2.microsoft.com/en-us/library/E4BD6494-06AD-4aed-9823-445E921C9624, as an additional source.
[RFC1945] Berners-Lee, T., Fielding, R., and Frystyk, H., "Hypertext Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996, http://www.ietf.org/rfc/rfc1945.txt
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, http://www.rfc-editor.org/rfc/rfc2119.txt
[RFC2460] Deering, S., and Hinden, R., "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998, http://www.ietf.org/rfc/rfc2460.txt
[RFC2616] Fielding, R., Gettys, J., Mogul, J., et al., "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999, http://www.ietf.org/rfc/rfc2616.txt
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000, http://www.ietf.org/rfc/rfc2818.txt
[RFC3986] Berners-Lee, T., Fielding, R., and Masinter, L., "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005, http://www.ietf.org/rfc/rfc3986.txt
[RFC4346] Dierks, T., and Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006, http://www.ietf.org/rfc/rfc4346.txt
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and Soliman, H., "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007, http://www.ietf.org/rfc/rfc4861.txt
[SSLPROXY] Luotonen, A., "Tunneling SSL Through a WWW Proxy", March 1997, http://tools.ietf.org/html/draft-luotonen-ssl-tunneling-03
1.2.2 Informative References
[MS-GLOS] Microsoft Corporation, "Windows Protocols Master Glossary".
[RFC1661] Simpson, W., Ed., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994, http://www.ietf.org/rfc/rfc1661.txt
[RFC3971] Arkko, J., Ed., Kempf, J., Zill, B., and Nikander, P., "SEcure Neighbor Discovery (SEND)", RFC 3971, March 2005, http://www.rfc-editor.org/rfc/rfc3971.txt
1.3 Overview
Many virtual private network (VPN) services provide a way for mobile and home users to access the corporate network remotely by using the Point-to-Point Tunneling Protocol (PPTP) and the Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPsec). However, with the popularization of firewalls and web proxies, many service providers (for example, hotels) do not allow the PPTP and L2TP/IPsec traffic. This results in users not receiving ubiquitous connectivity to their corporate networks. For example, generic routing encapsulation (GRE) port blocking by many Internet service providers (ISPs) is a common problem when using PPTP.
The IP over HTTPS (IP-HTTPS) Tunneling Protocol Specification defines the IP over HTTPS (IP-HTTPS) Protocol. IP-HTTPS is a mechanism to encapsulate IP traffic over an HTTPS protocol, as defined in [RFC1945], [RFC2616], and [RFC2818]. This protocol enables remote users behind a protocol blocking firewall or proxy server to access a private network using HTTPS. The use of HTTPS enables traversal of most firewalls and web proxies. IP-HTTPS supports HTTP proxy authentication.
This protocol employs two main roles: client and server. The IP-HTTPS client and IP-HTTPS server can use either HTTPS or HTTP as a transport.
An IP-HTTPS client: This component is similar to a VPN client. The IP-HTTPS client initiates connections to a configured IP-HTTPS server. The client could become active either automatically (for example, when the client machine is located behind an HTTP firewall and/or HTTP proxy), or based on administrative policy (for example, always on), or based on an explicit user action.
When an IP-HTTPS client is behind an HTTP proxy, the client first establishes a tunnel to the IP-HTTPS server using the CONNECT method, as described in [SSLPROXY].
An IP-HTTPS server: This component is similar to a VPN server, and it is typically positioned at the edge of a network. The IP-HTTPS server directly accepts HTTPS connections made by IP-HTTPS clients. When positioned behind a device that terminates HTTPS on its behalf (such as a reverse proxy or a TLS/SSL load balancer), the server can be configured to listen over HTTP.
1.4 Relationship to Other Protocols
The IP over HTTPS (IP-HTTPS) Protocol allows encapsulation of IPv6 traffic over HTTPS. To do so, it depends on the following protocols:
§ Hypertext Transfer Protocol -- HTTP/1.0 [RFC1945].
§ Hypertext Transfer Protocol -- HTTP/1.1 [RFC2616].
§ HTTP Over TLS [RFC2818].
§ Tunneling SSL Through a WWW Proxy [SSLPROXY].
§ The Transport Layer Security (TLS) Protocol Version 1.1 [RFC4346].
Once the underlying transport is established, IP-HTTPS enables IPv6 traffic exchanges per usual IPv6 specifications such as:
§ Neighbor Discovery for IP Version 6 (IPv6) [RFC4861].
§ Protocol, Version 6 (IPv6) Specification [RFC2460].
NoteThe IP-HTTPS Protocol itself does not have any security or authentication methods. Instead, it relies on HTTPS for authentication, data integrity, and confidentiality.
The relationship between these protocols is illustrated in the following diagram: