This "real VPN" stuff all sounds good until you run end up running TCP over TCP.

TCP dynamically measures the capacity and round trip times of the underlying network, to try to continually optimise performance based on the underlying network's available capacity. One of the tools it uses to do that is observing packet drops.

Unfortunately, when you put another reliability layer underneith that, in particular, TCP, you end up with the different TCP layer's reliability mechanisms interacting with each other. For example, if the underlying TCP performs lost packet recovery, that packet loss won't be
visible to the upper TCP layer - rather, it will just look as though there as been a huge and instant increase in the network latency. The
upper layer TCP will then think it has a much bigger capacity pipe between the TCP end points (bandwidth * delay product increases), and therefore dump a much larger amount of data into the TCP connection. This will cause much larger amounts of packet loss because it exceeds the actual network capacity, and again, the lower level TCP will attempt to recover it, which will then trick the upper TCP into thinking that again the latency has increased dramatically again etc. etc.

IOW, TCP over TCP is really bad for both the underlying network as it will be asked to deliver packet volumes that exceed its available capacity, and the application trying to use the upper layer TCP connection.

It works, just not very well at all, and is best avoided.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/375/32849#32849