[139851] in North American Network Operators' Group
Re: VPN over slow Internet connections
daemon@ATHENA.MIT.EDU (Phil Regnauld)
Thu Apr 21 13:08:41 2011
Date: Thu, 21 Apr 2011 19:07:58 +0200
From: Phil Regnauld <regnauld@nsrc.org>
To: Ben Whorwood <bw-ml@mube.co.uk>
In-Reply-To: <4DB06184.30508@mube.co.uk>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Ben Whorwood (bw-ml) writes:
> Some initial thoughts include...
>
> * How well would the connection handle certificate (>= 2048 bit
> key) based authentication?
> * Is UDP or TCP better considering the speed and possibility of
> packet loss (no figures to hand)?
I'd go for a UDP tunnel, as you wouldn't have to renegotiate
a TCP session for the tunnel *and* whatever connection you've
got going through that.
> * Is VPN over this type of connection simply a bad idea?
I don't think it's a particularly bad idea. But why don't you
make you own tests using FreeBSD/dummynet, simulating 1-2%
packet loss, limit bandwidth to 33 Kbit/s, and corresponding
latency (say 100ms).
I'd say your biggest concern won't be the VPN (you can make
it completely stateless with static keys), but whatever protocol
you've got running on top of that, and how it deals with the
loss.
Cheers,
Phil
