Re: Why more than 1 hole in FW for IPSec

From: Stephen J. Bevan (stephen_at_dino.dnsalias.com)
Date: 08/30/03 

Date: Sat, 30 Aug 2003 04:56:47 GMT

jim2002@yonan.net (James Yonan) writes:
> > SSL/TLS was designed to run over a reliable transport (e.g. TCP) it
> > wasn't designed to run over unreliable ones (any type of datagram).
> > Also running TCP over TCP, as would be necessary if you tunnel
> > everything via SSL, has various documented drawbacks.
>
> OpenVPN is designed to multiplex SSL/TLS + actual IP datagrams over a
> single UDP port. It does this by: ...

With your other followup it is now clear that what you mean by SSL/TLS
and what I mean by it are not quite the same thing. When I write
SSL/TLS I mean the whole protocol, not just the part that does keying.
Taking just the keying part and marrying it with your own format for
encrypting IP packets is is an interesting approach. However, it
isn't entirely clear to me how this an improvement over using
IKE+IPsec. I have the same reaction to a bunch of other VPN solutions :-

  CIPE http://sites.inka.de/bigred/devel/cipe.html
  SLAN http://sourceforge.net/projects/slan/
  TINC http://tinc.nl.linux.org/
  VPND http://sunsite.dk/vpnd/
  VTUN http://vtun.sourceforge.net/
  YAVIPIN http://yavipin.sourceforge.net/
  ZEBEDEE http://www.winton.org.uk/zebedee/

BTW it is not that I think IKE+IPsec is perfect by any means, it is
just that it isn't clear to me that any of the alternative are better.

Quantcast