[ale] Why I Chose IPsec over OpenVPN (Was: Re: How to test your public internet connection for open ports)
Michael B. Trausch
mike at trausch.us
Fri Feb 11 13:32:21 EST 2011
On Fri, 2011-02-11 at 13:14 -0500, Michael H. Warfield wrote:
> On Fri, 2011-02-11 at 12:33 -0500, Michael B. Trausch wrote:
> > +1 point for routers that are managed via HTTPS with proper certificates
> > or via SSH, side-stepping this problem entirely... yet more proof that
> > security encompasses far more than just what the firewall is doing (or
> > not).
>
> Very true. But watch out for the ones with hard coded certificates (I'm
> sure there are lots still out there).
Hence the idea that the certificate support has to be proper. Nothing
worse than a well-known cert (or host key!) that cannot be updated or
modified...
> > I still use SSH over the encrypted link, even though its redundant.
> > Mostly because I don't want to be bothered with a telnetd that just
> > listens on the private address, and the private addresses will be going
> > away at some point, to be replaced with iptables rules that implement
> > the required business-level policies.
>
> User of SSH or stunnel and ssl as a true tunneled VPN is just a plain
> performance headache because it runs over TCP and all it's bookkeeping
> headaches and packet assembly and opportunistic windows and cruft. Just
> compare OpenVPN over UDP vs OpenVPN over TCP. You really don't want to
> run routed tunnels over TCP.
Indeed not. I tried using the SSH support for tunneling a long time
ago, but I was very displeased with it. And honestly, it was more
difficult to setup than it should have been. AFAIK, it (is/was) not
really possible to do things like tell the SSH server to allow regular
user X to setup a layer 2 tunnel. It requires that you have root on the
other side, which makes it pretty inconvenient to use for setting up a
tunnel on the fly. (This could have changed since I looked at it; I
haven't bothered to check up on that, because honestly I don't care. I
don't plan to ever use that functionality.)
I only use SSH for terminals, and *occasionally* a single port forward
if I need to connect to something on the remote net that I don't
otherwise have access to. If I make connections frequently to that
network, I get it interconnected with my "virtual" network that I use
IPsec to secure the communication for.
> IPsec:
> - Cannot do over TCP (Cisco is about the only one I know that does)
Maybe I'm missing something, but why would you want to do that? I mean,
you can do IP by sneakernet or carrier pigeon, too, but I wouldn't want
to... ;-)
> - Can be blocked at some sites (proto 50/51 and/or udp 500/4500)
Indeed. Though I was very happy to see that RFC 6092 explicitly
recommends that IPsec be left untouched and permitted to pass.
Hopefully, vendors will take the recommendations from that as a default
configuration.
I for one would like to see (native) IPsec used much more than it is.
--- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/be0db4d4/attachment-0001.bin
More information about the Ale
mailing list