Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 03 Sep 2002 22:42:35 +0400
From: Michael Tokarev <>
Subject: Re: New ISO and VPN tunelling

Radek Michalski wrote:
> Hi!
> I'm wondering when there's gonna be a new ISO release of Owl. We've got
> openssh commotion behind, so there's a good time to make a new relase, I
> think.
> One more thing: few monts ago I wrote about tests I'm gonna make when about
> CIPE / FreeS/WAN tunelling mechanisms. So I made those and IMHO there are
> good reasons to include and use CIPE (I know that it's encapsulates packets
> in UDP, what may be taken as disadvantage).

Why it's a disadvantage?!  It is a big advantage compared to TCP-based
tunnels (common mistake is to use e.g. ppp over ssh).  TCP is too much
work for an IP stack: double send-receive queues, double dealing with
packet loss etc.

> First at all: tunnels made with CIPE are more stable, they can be up for a
> weeks. In the same conditions I've tested F/S and it wasn't so stable.
> Second thing is configuration : CIPE is easier to configure [I really don't
> know what about very complicated configurations w/o standard enviroment -
> for my purposes CIPE had clearer conf.]. Speed - I think it's equal.

Well, yes, CIPE is a stable and it's much simpler (in both setting it
up and from software point of view).  F/S is just too big for most
cases, and being big it's obviously too complex piece of software.

But.  CIPE is unique to linux (if memory serves me right - I don't
remember if it exists for other unixes too).  F/S tries to be compatible
with other implementations, it is based on standards.  CIPE has no
real key exchange infrastructure in place while F/S has.  And it's
unknown *for me* how strong CIPE protocols are (errm - I'm in no
way a security/crypto expert).  Protocols used in F/S are strong
(enouth - for *what*? ;), I belive, since those protocols was developed
by a community of crypto experts...

Concerning CIPE - there is another similar solution, it's vtund.
It is weaker compared to cipe, and for me, I can't trust it even
to *run* it on our machine, unfortunately, because it written not
very accurate (oh well, and it's me who is one of it's developers... ;)
It is too a simple one, it is also stable, and it can work as
a "vpn server" in a sense of "dialin server" - i.e. when you have
really many clients and one server machine that should handle all
those clients just like a dialin server handles modem connections
(this is essential for us, and cipe can't do that - with CIPE, one
will need to create network interface for every client and run
ciped bound to unique port for that).  That to say - I like CIPE,
but I can't use it because of lack of some features I need...

There is another tunnel solution similar to vtund and cipe,
OpenVPN,  What is good (and
bad at the same time) about both vtund and openvpn is that
both are run in userspace, thus less risk to crash a system
after possible bug (cipe protocol details are handled inside
kernel).  (This is not so good from perfomance point of view).

But in any way, I think that any solution should be at least
audited before it will go to Owl ISO...


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.