<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: NAT... misunderstanding
From: Peter van den Heuvel <peter,AT,bank-connect,DOT,com>
Date: Sun, 6 Oct 2002 14:07:05 +0200
In-reply-to: <944775566166B64B9A2DD5EE0159B5CDB95D@europa.directory.futurefoundations.com>

Hi,

> Wouldn't an SSH Tunnel completely defeat the purpose of cipe?  (Besides 
> the ease of configuration and stability, I think the general idea was to 
> avoid a TCP over TCP Tunnel because these are problematic)
No, OpenSSL / OpenSSH is a piece of garbage with more holes in it than a 
sieve. Maybe one day it'll get secure and stable, but till today I've 
been running around to install patches and upgrades without end. And 
nobody knows where and when the next exploit will pop up.

Also, doing SSH "tunnels" is doing TCP over TCP. TCP is a connection 
based protocol with a transmit window to allow for ackowledge turnaround 
delays over a WAN. Now imagine (and experience) what will happen if one 
of the routers to the remote site is getting saturated. It'll start 
dropping packets. Now there's two layers of TCP that start trying to 
manage that. I can tell that it'll get slow beyond belief.

Then there's things like routing, NAT and packet filtering that require 
the tunneling to use the correct hooks in the kernel, a thing user-space 
code simply cannot do.

IP-sec is a nice try, but some notches too complex for my taste. Just 
try to properly firewall it. And a VPN that's not solidly nailed down by 
any added firewalling you can manage is a bit silly.

Every problem has a best-fit-solution. For my situation cipe cannot be 
replaced with anything I've investigated so far. And actually, I have 
little reason to wish that. It's got excellent security track record, if 
very fast and extremely simple. Yes simple. I do remember myself trying 
to get it to work the first time with clammy hands. All my problems had 
to do with my lack of knowledge on routing, firewalling, network 
protocols and the like. Just fight it through. Do not expect to get 
anything secure without such knowledge. There's no package that will do 
it for you, even if it might "work" without much hassel.

Peter.

PS. Try to quote a somewhat selective. It's more frienly to your audience.





<< | Thread Index | >> ]    [ << | Date Index | >> ]