[14593] in cryptography@c2.net mail archive
Re: Open Source (was Simple SSL/TLS - Some Questions)
daemon@ATHENA.MIT.EDU (Guus Sliepen)
Thu Oct 9 21:02:41 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 9 Oct 2003 16:26:45 +0200
From: Guus Sliepen <guus@sliepen.eu.org>
To: cryptography@metzdowd.com
Mail-Followup-To: Guus Sliepen <guus@sliepen.eu.org>,
cryptography@metzdowd.com
In-Reply-To: <87smm27cjp.fsf@snark.piermont.com>
--mSxgbZZZvrAyzONB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Oct 09, 2003 at 09:42:18AM -0400, Perry E. Metzger wrote:
> > If you want a VPN that road warriors can use, you have to do it with
> > IP-over-TCP. Nothing else survives NAT and agressive firewalling, not e=
ven
> > Microsoft PPTP.
>=20
> Unfortunately, IP over TCP has very bad properties. TCP stacks figure
> out what the maximum bandwidth they can send is by increasing the
> transmission rate until they get drops, and then backing off. However,
> the underlying TCP carrying the IP packets is a reliable,
> retransmitting service, so there will never be any drops seen by the
> overlayed TCP sessions. You end up with really ugly problems, in
> short.
>=20
> Port-forwarded TCP sessions, a la ssh, work a lot better.
If you run your VPN over TCP, and the VPN daemon therefore knows that
every packet it sends to the other side of the connection will arrive
anyway, you can do proxy-ACK, which essentially means you automatically
do port-forwarding for all TCP sessions on the virtual network
interface.
Still, not only is TCP-over-TCP a problem, anything realtime over TCP
(like VoIP, games, streaming video) suffers from it.
SCTP (RFC 2960) looks like a solution, although I don't know of NATs
that support it, and although some platforms already have some support
for it in their kernels, I don't think it's possible to write a user
space application using SCTP yet.
--=20
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus@sliepen.eu.org>
--mSxgbZZZvrAyzONB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/hXAkAxLow12M2nsRAlGHAJwPZ4cKNsSrQDy/j/hH9owY2Fk2sQCcDZsK
KZHwauDz3NQLo/eGE+cyLTg=
=qA9F
-----END PGP SIGNATURE-----
--mSxgbZZZvrAyzONB--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
