Re: New ISO and VPN tunelling

From: Michael Tokarev (mjt@private)
Date: Tue Sep 03 2002 - 11:42:35 PDT


Radek Michalski wrote:
> 
> Hi!
> 
> I'm wondering when there's gonna be a new ISO release of Owl. We've got
> openssh commotion behind, so there's a good time to make a new relase, I
> think.
> 
> One more thing: few monts ago I wrote about tests I'm gonna make when about
> CIPE / FreeS/WAN tunelling mechanisms. So I made those and IMHO there are
> good reasons to include and use CIPE (I know that it's encapsulates packets
> in UDP, what may be taken as disadvantage).

Why it's a disadvantage?!  It is a big advantage compared to TCP-based
tunnels (common mistake is to use e.g. ppp over ssh).  TCP is too much
work for an IP stack: double send-receive queues, double dealing with
packet loss etc.

> First at all: tunnels made with CIPE are more stable, they can be up for a
> weeks. In the same conditions I've tested F/S and it wasn't so stable.
> Second thing is configuration : CIPE is easier to configure [I really don't
> know what about very complicated configurations w/o standard enviroment -
> for my purposes CIPE had clearer conf.]. Speed - I think it's equal.

Well, yes, CIPE is a stable and it's much simpler (in both setting it
up and from software point of view).  F/S is just too big for most
cases, and being big it's obviously too complex piece of software.

But.  CIPE is unique to linux (if memory serves me right - I don't
remember if it exists for other unixes too).  F/S tries to be compatible
with other implementations, it is based on standards.  CIPE has no
real key exchange infrastructure in place while F/S has.  And it's
unknown *for me* how strong CIPE protocols are (errm - I'm in no
way a security/crypto expert).  Protocols used in F/S are strong
(enouth - for *what*? ;), I belive, since those protocols was developed
by a community of crypto experts...

Concerning CIPE - there is another similar solution, it's vtund.
It is weaker compared to cipe, and for me, I can't trust it even
to *run* it on our machine, unfortunately, because it written not
very accurate (oh well, and it's me who is one of it's developers... ;)
It is too a simple one, it is also stable, and it can work as
a "vpn server" in a sense of "dialin server" - i.e. when you have
really many clients and one server machine that should handle all
those clients just like a dialin server handles modem connections
(this is essential for us, and cipe can't do that - with CIPE, one
will need to create network interface for every client and run
ciped bound to unique port for that).  That to say - I like CIPE,
but I can't use it because of lack of some features I need...

There is another tunnel solution similar to vtund and cipe,
OpenVPN, http://openvpn.sourceforge.net/.  What is good (and
bad at the same time) about both vtund and openvpn is that
both are run in userspace, thus less risk to crash a system
after possible bug (cipe protocol details are handled inside
kernel).  (This is not so good from perfomance point of view).

But in any way, I think that any solution should be at least
audited before it will go to Owl ISO...

/mjt



This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 13:43:16 PST