[139882] in North American Network Operators' Group
RE: VPN over slow Internet connections
daemon@ATHENA.MIT.EDU (Terry Baranski)
Thu Apr 21 17:29:08 2011
From: "Terry Baranski" <tbaranski@mail.com>
To: "'Steven Bellovin'" <smb@cs.columbia.edu>,
"'Ben Whorwood'" <bw-ml@mube.co.uk>
In-Reply-To: <C47FAE48-E13F-4D0A-B36C-0B5487F6AA93@cs.columbia.edu>
Date: Thu, 21 Apr 2011 17:28:46 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 21, 2011, at 4:20PM, Steven Bellovin wrote:
> For your application or for the VPN? For the VPN, I *strongly*
> suggest you use UDP, or you're going to get dueling retransmissions
> and spend a lot of time sending many copies of the same thing. Consider:
> if a packet is dropped, either due to line noise or queuing delay for
> the slow link, the sending TCP will resend. If you're using TCP for
> OpenVPN, that session's TCP will resend. Of course, the TCP running
> on top of it will resend as well, so you'll get two copies of the data
> sent to the application's TCP, wasting precious bandwidth.
Is this actually how OpenVPN's TCP encapsulation works? I'd be curious to
know. It isn't how Cisco's TCP/10000 encapsulation works, at least not with
the IOS devices I have experience with.
Cisco's TCP/10000 looks like TCP to a firewall, but it really isn't. There
is no reliability -- no retransmits, etc. It's pretty close to UDP behavior
but with a TCP header, which was confusing to troubleshoot at first but
quickly made perfect sense to me for the reasons you state above.
-Terry
