Open Source (was Simple SSL/TLS - Some Questions)
Guus Sliepen
guus at sliepen.eu.org
Thu Oct 9 10:26:45 EDT 2003
On Thu, Oct 09, 2003 at 09:42:18AM -0400, Perry E. Metzger wrote:
> > If you want a VPN that road warriors can use, you have to do it with
> > IP-over-TCP. Nothing else survives NAT and agressive firewalling, not even
> > Microsoft PPTP.
>
> Unfortunately, IP over TCP has very bad properties. TCP stacks figure
> out what the maximum bandwidth they can send is by increasing the
> transmission rate until they get drops, and then backing off. However,
> the underlying TCP carrying the IP packets is a reliable,
> retransmitting service, so there will never be any drops seen by the
> overlayed TCP sessions. You end up with really ugly problems, in
> short.
>
> Port-forwarded TCP sessions, a la ssh, work a lot better.
If you run your VPN over TCP, and the VPN daemon therefore knows that
every packet it sends to the other side of the connection will arrive
anyway, you can do proxy-ACK, which essentially means you automatically
do port-forwarding for all TCP sessions on the virtual network
interface.
Still, not only is TCP-over-TCP a problem, anything realtime over TCP
(like VoIP, games, streaming video) suffers from it.
SCTP (RFC 2960) looks like a solution, although I don't know of NATs
that support it, and although some platforms already have some support
for it in their kernels, I don't think it's possible to write a user
space application using SCTP yet.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20031009/65511c21/attachment.pgp>
More information about the cryptography
mailing list