The above analysis of how TCP over TCP goes wrong is not quite accurate. The issue has more to do with TCP's congestion avoidance backoff behavior when more than two sequential TCP packets are dropped. If you have two layered and independent timers, you can get very bad behavoir.

This business of TCP over TCP being terrible seems to have been started here: [http://sites.inka.de/sites/bigred/devel/tcp-tcp.html]. I recall reading this analysis when it was first published. It makes some good points, but in reality is applicable to very few modern wired Internet scenarios. Note at the end of the analysis that the author mentions a packet loss rate of 10-20%. That's extrordinairily high for a wired network connection! It is fairly common for wireless connections, which serves as a good point of comparison. The assertion that 10-20% loss was bearable with a single TCP connection seems suspect: I've encountered this packet loss rate on wireless connections and it is completely unusable.

So, in short, I use TCP over TCP (actually SSH over SSH) all the time, and on any decent wired network connection with a normal packet loss rate (< 10^-4) it is completely usable. The new SSH tunneling capabilities are something I've looked forward to for a long time now and will be incredibly useful.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/375/32873#32873