[139885] in North American Network Operators' Group
Re: VPN over slow Internet connections
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Thu Apr 21 17:53:49 2011
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <000101cc006b$1af5f890$50e1e9b0$@com>
Date: Thu, 21 Apr 2011 17:53:36 -0400
To: Terry Baranski <tbaranski@mail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 21, 2011, at 5:28 46PM, Terry Baranski wrote:
> On Apr 21, 2011, at 4:20PM, Steven Bellovin wrote:
>=20
>> For your application or for the VPN? For the VPN, I *strongly*
>> suggest you use UDP, or you're going to get dueling retransmissions
>> and spend a lot of time sending many copies of the same thing. =
Consider:
>> if a packet is dropped, either due to line noise or queuing delay for
>> the slow link, the sending TCP will resend. If you're using TCP for
>> OpenVPN, that session's TCP will resend. Of course, the TCP running
>> on top of it will resend as well, so you'll get two copies of the =
data
>> sent to the application's TCP, wasting precious bandwidth. =20
>=20
> Is this actually how OpenVPN's TCP encapsulation works? I'd be curious =
to
> know. It isn't how Cisco's TCP/10000 encapsulation works, at least not =
with
> the IOS devices I have experience with.
>=20
> Cisco's TCP/10000 looks like TCP to a firewall, but it really isn't. =
There
> is no reliability -- no retransmits, etc. It's pretty close to UDP =
behavior
> but with a TCP header, which was confusing to troubleshoot at first =
but
> quickly made perfect sense to me for the reasons you state above.
>=20
To the OS, OpenVPN is an application that uses the underlying TCP (or =
UDP)/IP
stack; it can't behave any differently than any other application. =
Since
(as far as I know) Windows, Linux, NeBSD, FreeBSD, MacOS, and all of the =
other=20
platforms that OpenVPN runs on just have normal TCPs, that's what =
OpenVPN
does.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
