Back to list
[VPN] advice ... which is better
Sep 22 2004 06:18PM
Peter Marshall (peter marshall caris com)
[VPN] Re: advice ... which is better
Sep 25 2004 03:55AM
Daniel Pittman (daniel rimspace net)
On 23 Sep 2004, Peter Marshall wrote:
> I have configured a vpn with ssh running over a ppp tunnel. The ssh
> connection is initiated using ssh key authentication. The two vpn
> gateways would be the internal firewalls of two different networks.
> This allows for one network to be able to see the other internal
> network and vise versa. If the other network is trusted, is this a bad
Yes, but possibly less bad than not having the connectivity. This means
that not only are *your* network boundaries a security risk, so are the
So, your network security is equivalent to the minimum of the two
networks security levels.
> It seems like it would be the same as adding more users to your existing
> network (provided their network is at least as secure as your own.
Yes. Also, you can usually put *some* firewalls in place between the two
which can help reduce the risk of hostile traffic crossing over between
> I am wondering how IPSec would be better?
PPP over SSH works fine until you hit packet loss from congested links.
The moment you do, the SSH layer will retransmit the packet that was
dropped. At the same time the PPP layer will retransmit the packet that
So, all of a sudden you have *two* copies of that packet being sent.
If either copy is dropped because, say, your link is congested, the same
thing happens and you have three copies to send.
Wash, rise, watch your VPN fall down and not get back up again.
IPSec, which does not put two layers of retransmissions in place, will
not fall over in this case. It will (correctly) retransmit packets on
loss, and act in a sensible fashion.
Likewise, any sort of VPN over UDP will do the same thing - retransmit
only at one layer - the VPN, or the PPP layer, but either works.
> I have not yet configured this, however, it does look significantly
> more complicated.
It usually is.
> If someone could explain the advantages of ipsec over the ssh tunnel
> .. or even the disadvantages of the ssh tunnel I would greatly
> appreciate it.
TCP over TCP never, ever, works well. There are way too many places
where having the two layers of reliability cause catastrophic collapse
rather than recovery.
If you really need a VPN solution that is easier than IPSec to deploy,
but isn't as error prone as PPP over SSH, consider the 'OpenVPN'
While they have not had the same degree of security attention that IPSec
has, their protocols are much simpler and they have had a small degree
of review by crypto experts who said, basically, "I see nothing
immediately apparent that makes this insecure."
Most of the *other* options for VPN over UDP with home-brew protocols
review something like "looks good, but the implementation makes it
pointless to include the crypto layer at all."
The youth gets together his materials to build a bridge to the moon, or,
perchance, a palace or temple on the earth, and, at length, the middle-aged
man concludes to build a woodshed with them.
-- Henry David Thoreau
VPN mailing list
VPN (at) lists.shmoo (dot) com [email concealed]
[ reply ]
Copyright 2010, SecurityFocus