On Tue, 2002-09-03 at 08:17, Javier Gostling wrote: > On Tue, Sep 03, 2002 at 12:12:29AM -0700, Gordon Messmer wrote: > > > Matthew hasn't updated that document in a long time, but he means to. > > In the meantime, the ssh-vpn scripts here: > > http://www.dragonsdawn.net/~gordon/vpn/ > > Beware of vpn tunnels over TCP. They are dangerous, specially if you > start to have packet loss. Since you have two TCP packets lost simultaneously, > (the VPN transport packet and the data packet), you have double retransmission. > Which leads to more packet loss which leads to more retransmission... get it?
You're right, there are problems with TCP over TCP tunnels, but double-retransmission isn't one of them. If there's packet loss, the IP packets for the SSH session will be retransmitted, the tunneled traffic will only be delayed. TCP backoff algorithms will prevent retransmission from becoming a storm, (where CIPE over UDP will not) though this may degrade the maximum throughput of the tunnel given a longer view. PPP over SSH very nice in that it should work on a variety of UNIX's. I plan to test my scripts on OS X as soon as I can get the iBook away from my girlfriend for long enough to do so. ;) IPSec still isn't available on a lot of OS's. > Haven't tried cipe, but vtund works like a charm. The RPM install on both > enigma and valhalla without a glitch and configuration is quite easy. I've used vtund in the past. It used to have serious stability problems compared the the PPP/SSH tunnels that I've used. That's probably not the case any more. All the same, I don't recommend it as it's one more port/service/protocol operating on the VPN host. Doing encryption, and writing secure C code seem to be hard for some people to "get", as evidenced by the URL you gave. CIPE is a better alternative than vtund, IMO. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
