VPN and IPtables

Henry Spencer henry-lqW1N6Cllo0sV2N9l4h3zg at public.gmane.org
Fri Sep 17 00:12:14 UTC 2004


On Thu, 16 Sep 2004, Lennart Sorensen wrote:
> > Neither protocol 50 nor UDP port 500 is any more or less prone to data
> > getting lost, other things being equal.  Both are datagrams, with
> > unreliable best-effort delivery...
> 
> So it isn't UDP that's special, it is TCP.  OK, that makes sense.  IP
> itself is best effort delivery as far as I kow...

Correct.  UDP is basically raw IP with the addition of ports (so you can
address entities within hosts, whereas IP only knows about hosts) and a
little bit of corrupted-packet detection (IP itself checksums only the
header, not the body).  Dealing with lost, duplicated, reordered, or
excessively abundant packets is still the application's problem. 

TCP looks after all that stuff for you, but the price is that it has one
specific model of how to do it, which doesn't fit all applications. 

ESP is like UDP, a very limited set of features added to basic IP.  It's
mostly just encryption and authentication (which incidentally provides
very strong corrupted-packet detection), but as a side issue it also does
duplicate suppression to prevent replay attacks.  Lost and reordered
packets, flow control, and within-host addressing are somebody else's
problem.

> Now if I could only figure out what syntax to use in ipsec.secrets with
> an x.509 certificate to make it have a clue that it is the default key.
> Seems no one knows how to make it do that, only that it complains about
> it.  Perhaps I should just stick to plain RSA keys.  Or PSK which always
> works.

Alas, can't help on that one -- I haven't kept track of what's happened
to the project's code since I left it.

                                                          Henry Spencer
                                                       henry-lqW1N6Cllo0sV2N9l4h3zg at public.gmane.org

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list