diff --git a/hkexnet/consts.go b/hkexnet/consts.go
index 009e1d7..34ea3a0 100644
--- a/hkexnet/consts.go
+++ b/hkexnet/consts.go
@@ -50,6 +50,8 @@ const (
 	CSONone        = iota // No error, normal packet
 	CSOHmacInvalid        // HMAC mismatch detected on remote end
 	CSOTermSize           // set term size (rows:cols)
+	CSOTunReq // client tunnel open request (dstport)
+	CSOTunAck // server tunnel open ack (tunport)
 	CSOExitStatus         // Remote cmd exit status
 	CSOChaff              // Dummy packet, do not pass beyond decryption
 )
diff --git a/hkexnet/hkexnet.go b/hkexnet/hkexnet.go
index 1076afa..9c17928 100644
--- a/hkexnet/hkexnet.go
+++ b/hkexnet/hkexnet.go
@@ -73,7 +73,29 @@ type (
 		szMax    uint // max size in bytes
 	}
 
-	//h          *hkex.HerraduraKEx // TODO: make an interface?
+	// Tunnels
+	// --
+	// 1. client is given (lport, remhost, rport) by local user
+	// 2. client sends [CSOTunReq:rport] to server
+	// client=> [CSOTunReq:rport] =>remhost
+	//    t := TunEndpoint{dataPort: lport, peer: remhost}
+	//
+	// remhost allocates dynamic (Tport)
+	//    t := TunEndpoint{dataPort: rport, peer: client, tunPort: Tport}
+	//
+	// remhost spawns goroutine forwarding data between (Tport,rport)
+	// client<= [CSOTunAck:Tport] <=remhost
+	//    t.tunPort = Tport
+	//
+	// client spawns goroutine forwarding data between (lport,Tport)
+	// --
+
+	// TunEndpoint [securePort:peer:dataPort]
+	TunEndpoint struct {
+		tunPort  uint16
+		peer     net.Addr
+		dataPort uint16
+	}
 
 	// Conn is a connection wrapping net.Conn with KEX & session state
 	Conn struct {
@@ -791,6 +813,10 @@ func (hc Conn) Read(b []byte) (n int, err error) {
 					hc.SetStatus(CSETruncCSO)
 				}
 				hc.Close()
+			} else if ctrlStatOp == CSOTunReq {
+				Log.Notice("[Client Tunnel Open Request - TODO]\n")
+			} else if ctrlStatOp == CSOTunAck {
+				Log.Notice("[Server Tunnel Open Ack - TODO]\n")
 			} else {
 				hc.dBuf.Write(payloadBytes)
 				//log.Printf("hc.dBuf: %s\n", hex.Dump(hc.dBuf.Bytes()))