I don't understand why is the "tunnel" metaphor used to describe a networking tunnel.
At first I thought the reason was because the data sent is encrypted, and so an eavesdropper will not be able to see the data (he sees the data wrapped in a tunnel!).
But what about the tunneling protocols that do not use encryption, why are they also called a "tunnel"!
In the case of roads, a real world tunnel is a constructed passage that allows you to pass directly from A to B instead of taking a route that is longer and/or has more things to slow you down. Examples include tunnels through mountains that you might otherwise have to go round, underpasses that let you get to the other side of the road without walking across it, and subway tunnels that let trains move around a city without contending with roads and buildings.
In each of these cases, a tunnel provides a direct path that avoids some type of complexity you'd otherwise have to deal with. In networking it is used in the same way.
An IPv4 over IPv6 tunnel allows IPv4 to pass through an IPv6 network into another IPv4 network, something that would otherwise not be possible without the originating computer understanding the IPv6 network.
A VPN is a tunnel specifically intended for connecting two private networks without the overhead of translating the IP addresses between private and public addresses at each end.
An example that combines the two is game VPN software like Hamachi that could be used to play over the internet games which used old protocols like IPX or relied on local discovery to find other players.
The phrase was first used (as far as I can tell) in RFC 1075 Distance Vector Multicast Routing Protocol, where it is defined as follows:
In addition, to allow experiments to traverse networks that do not support multicasting, a mechanism called "tunneling" was developed.
...
- Tunnels
A tunnel is a method for sending datagrams between routers separated by gateways that do not support multicasting routing. It acts as a virtual network between two routers. For instance, a router running at Stanford, and a router running at BBN might be connected with a tunnel to allow multicast datagrams to traverse the Internet. We consider tunnels to be a transitional hack.
Tunneling is done with a weakly encapsulated normal multicasted datagram. The weak encapsulation uses a special two element IP loose source route [5]. (This form of encapsulation is preferable to "strong" encapsulation, i.e., prepending an entire new IP header, because it does not require the tunnel end-points to know each other's maximum reassembly buffer size. It also has the benefit of correct behavior of the originator's time-to-live value and any other IP options present.)
A tunnel has a local end-point, remote end-point, metric, and threshold associated with it. The routers at each end of the tunnel need only agree upon the local and remote end-points. See section 8 for information on how tunnels are configured. Because the number of intermediate gateways between the end-points of a tunnel is unknown, additional research is needed to determine appropriate metrics and thresholds.
Although the above states "We consider tunnels to be a transitional hack." tunneling is still used today, with essentially the same meaning - the data sent through a tunnel is encapsulated so it can be tranmitted via a protocol that would otherwise not support the transmission:
A tunnel is a mechanism used to ship a foreign protocol across a network that normally wouldn't support it. Tunneling protocols allow you to use, for example, IP to send another protocol in the "data" portion of the IP datagram. Most tunneling protocols operate at layer 4, which means they are implemented as a protocol that replaces something like TCP or UDP.
Because whatever you put in one end of the tunnel comes out the other end.
