Date: Tue, 03 Sep 2002 22:42:35 +0400 From: Michael Tokarev <mjt@....msk.ru> To: owl-users@...ts.openwall.com Subject: Re: New ISO and VPN tunelling Radek Michalski wrote: > > Hi! > > I'm wondering when there's gonna be a new ISO release of Owl. We've got > openssh commotion behind, so there's a good time to make a new relase, I > think. > > One more thing: few monts ago I wrote about tests I'm gonna make when about > CIPE / FreeS/WAN tunelling mechanisms. So I made those and IMHO there are > good reasons to include and use CIPE (I know that it's encapsulates packets > in UDP, what may be taken as disadvantage). Why it's a disadvantage?! It is a big advantage compared to TCP-based tunnels (common mistake is to use e.g. ppp over ssh). TCP is too much work for an IP stack: double send-receive queues, double dealing with packet loss etc. > First at all: tunnels made with CIPE are more stable, they can be up for a > weeks. In the same conditions I've tested F/S and it wasn't so stable. > Second thing is configuration : CIPE is easier to configure [I really don't > know what about very complicated configurations w/o standard enviroment - > for my purposes CIPE had clearer conf.]. Speed - I think it's equal. Well, yes, CIPE is a stable and it's much simpler (in both setting it up and from software point of view). F/S is just too big for most cases, and being big it's obviously too complex piece of software. But. CIPE is unique to linux (if memory serves me right - I don't remember if it exists for other unixes too). F/S tries to be compatible with other implementations, it is based on standards. CIPE has no real key exchange infrastructure in place while F/S has. And it's unknown *for me* how strong CIPE protocols are (errm - I'm in no way a security/crypto expert). Protocols used in F/S are strong (enouth - for *what*? ;), I belive, since those protocols was developed by a community of crypto experts... Concerning CIPE - there is another similar solution, it's vtund. It is weaker compared to cipe, and for me, I can't trust it even to *run* it on our machine, unfortunately, because it written not very accurate (oh well, and it's me who is one of it's developers... ;) It is too a simple one, it is also stable, and it can work as a "vpn server" in a sense of "dialin server" - i.e. when you have really many clients and one server machine that should handle all those clients just like a dialin server handles modem connections (this is essential for us, and cipe can't do that - with CIPE, one will need to create network interface for every client and run ciped bound to unique port for that). That to say - I like CIPE, but I can't use it because of lack of some features I need... There is another tunnel solution similar to vtund and cipe, OpenVPN, http://openvpn.sourceforge.net/. What is good (and bad at the same time) about both vtund and openvpn is that both are run in userspace, thus less risk to crash a system after possible bug (cipe protocol details are handled inside kernel). (This is not so good from perfomance point of view). But in any way, I think that any solution should be at least audited before it will go to Owl ISO... /mjt
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.