Open Source (was Simple SSL/TLS - Some Questions)

Perry E. Metzger perry at piermont.com
Thu Oct 9 09:42:18 EDT 2003


Peter Clay <pete at flatline.org.uk> writes:
> Having spent much of the past few weeks trying to sort out a workable VPN
> solution, I think this is a good but doomed idea. http://vpn.ebootis.de/
> has the best free windows IPsec configuration tool I've found, but that
> doesn't help. Why? Because IPsec traffic is not TCP traffic and therefore
> gets dropped by random networks.
> 
> If you want a VPN that road warriors can use, you have to do it with
> IP-over-TCP. Nothing else survives NAT and agressive firewalling, not even
> Microsoft PPTP.

Unfortunately, IP over TCP has very bad properties. TCP stacks figure
out what the maximum bandwidth they can send is by increasing the
transmission rate until they get drops, and then backing off. However,
the underlying TCP carrying the IP packets is a reliable,
retransmitting service, so there will never be any drops seen by the
overlayed TCP sessions. You end up with really ugly problems, in
short.

Port-forwarded TCP sessions, a la ssh, work a lot better.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list