[VPN] Re: advice ... which is better

Daniel Pittman daniel at rimspace.net
Fri Sep 24 23:55:09 EDT 2004


On 23 Sep 2004, Peter Marshall wrote:
> I have configured a vpn with ssh running over a ppp tunnel. The ssh
> connection is initiated using ssh key authentication. The two vpn
> gateways would be the internal firewalls of two different networks.
> This allows for one network to be able to see the other internal
> network and vise versa. If the other network is trusted, is this a bad
> idea?

Yes, but possibly less bad than not having the connectivity.  This means
that not only are *your* network boundaries a security risk, so are the
remote network.

So, your network security is equivalent to the minimum of the two
networks security levels.

> It seems like it would be the same as adding more users to your existing
> network (provided their network is at least as secure as your own.

Yes. Also, you can usually put *some* firewalls in place between the two
which can help reduce the risk of hostile traffic crossing over between
the two.

> I am wondering how IPSec would be better? 

PPP over SSH works fine until you hit packet loss from congested links.

The moment you do, the SSH layer will retransmit the packet that was
dropped.  At the same time the PPP layer will retransmit the packet that
was dropped.

So, all of a sudden you have *two* copies of that packet being sent.

If either copy is dropped because, say, your link is congested, the same
thing happens and you have three copies to send.

Wash, rise, watch your VPN fall down and not get back up again.


IPSec, which does not put two layers of retransmissions in place, will
not fall over in this case.  It will (correctly) retransmit packets on
loss, and act in a sensible fashion.

Likewise, any sort of VPN over UDP will do the same thing - retransmit
only at one layer - the VPN, or the PPP layer, but either works.

> I have not yet configured this, however, it does look significantly
> more complicated. 

It usually is.

> If someone could explain the advantages of ipsec over the ssh tunnel
> .. or even the disadvantages of the ssh tunnel I would greatly
> appreciate it.

TCP over TCP never, ever, works well.  There are way too many places
where having the two layers of reliability cause catastrophic collapse
rather than recovery.

If you really need a VPN solution that is easier than IPSec to deploy,
but isn't as error prone as PPP over SSH, consider the 'OpenVPN'
project.

While they have not had the same degree of security attention that IPSec
has, their protocols are much simpler and they have had a small degree
of review by crypto experts who said, basically, "I see nothing
immediately apparent that makes this insecure."


Most of the *other* options for VPN over UDP with home-brew protocols
review something like "looks good, but the implementation makes it
pointless to include the crypto layer at all."

Regards,
        Daniel
-- 
The youth gets together his materials to build a bridge to the moon, or,
perchance, a palace or temple on the earth, and, at length, the middle-aged
man concludes to build a woodshed with them.
        -- Henry David Thoreau




More information about the VPN mailing list