VPN and IPtables

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Thu Sep 16 14:46:03 UTC 2004 

On Wed, Sep 15, 2004 at 10:26:22PM -0400, Henry Spencer wrote:
> Neither protocol 50 nor UDP port 500 is any more or less prone to data
> getting lost, other things being equal.  Both are datagrams, with
> unreliable best-effort delivery.  In both cases, reliability requires a
> higher-level protocol to pay attention and deal with lost packets somehow. 

So it isn't UDP that's special, it is TCP.  OK, that makes sense.  IP
itself is best effort delivery as far as I kow, which is all routers
really care about I suppose.

> (There has been some suggestion that it might be desirable to have an
> option to use TCP for key negotiation.  The issue is not reliability --
> the IKE key-negotiation protocol does handle retransmission of lost
> packets, if not as well as it might -- but the fact that IKE messages
> sometimes get large, and UDP doesn't do really big packets well.  TCP has
> its own problems in this context, though...)

Well IPsec has worked pretty well for me in the past, so it can't be too
bad.

> That's correct, they don't.  But then, routers which want to know about
> the importance of the data tend to want to inspect packet innards... and
> that is inherently impossible with IPsec.  It is fundamental to IPsec that
> many "smart network tricks" (which, on closer inspection, often aren't
> really good ideas) are no longer possible when the contents of packets are
> completely hidden from inspection en route. 

I guess that makes sense.  Bad router design is what is breaking ECN
(explicit congestion notification) as far as I know.

> As former technical lead of the late FreeS/WAN project, I can assure you
> I do know which does which. :-)
> 
> RFC 2406 will tell you just about everything there is to know about ESP.
> It's reasonably well designed.
> 
> You don't want to learn about IKE; trust me on this. :-)

Yeah I think you are right on that.

Now if I could only figure out what syntax to use in ipsec.secrets with
an x.509 certificate to make it have a clue that it is the default key.
Seems no one knows how to make it do that, only that it complains about
it.  Perhaps I should just stick to plain RSA keys.  Or PSK which always
works.

Lennart Sorensen
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list