Hi,
> Wouldn't an SSH Tunnel completely defeat the purpose of cipe? (Besides
> the ease of configuration and stability, I think the general idea was to
> avoid a TCP over TCP Tunnel because these are problematic)
No, OpenSSL / OpenSSH is a piece of garbage with more holes in it than a
sieve. Maybe one day it'll get secure and stable, but till today I've
been running around to install patches and upgrades without end. And
nobody knows where and when the next exploit will pop up.
Also, doing SSH "tunnels" is doing TCP over TCP. TCP is a connection
based protocol with a transmit window to allow for ackowledge turnaround
delays over a WAN. Now imagine (and experience) what will happen if one
of the routers to the remote site is getting saturated. It'll start
dropping packets. Now there's two layers of TCP that start trying to
manage that. I can tell that it'll get slow beyond belief.
Then there's things like routing, NAT and packet filtering that require
the tunneling to use the correct hooks in the kernel, a thing user-space
code simply cannot do.
IP-sec is a nice try, but some notches too complex for my taste. Just
try to properly firewall it. And a VPN that's not solidly nailed down by
any added firewalling you can manage is a bit silly.
Every problem has a best-fit-solution. For my situation cipe cannot be
replaced with anything I've investigated so far. And actually, I have
little reason to wish that. It's got excellent security track record, if
very fast and extremely simple. Yes simple. I do remember myself trying
to get it to work the first time with clammy hands. All my problems had
to do with my lack of knowledge on routing, firewalling, network
protocols and the like. Just fight it through. Do not expect to get
anything secure without such knowledge. There's no package that will do
it for you, even if it might "work" without much hassel.
Peter.
PS. Try to quote a somewhat selective. It's more frienly to your audience.