Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
RE: [suse-security] VPN with pptp
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 17 Jun 2002 07:15:51 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D1A5700E@xxxxxxxxxxxxxxxxx>
> In the company, we have some very efficient C implementations.
> They are small and their developers knew every bitshifting
> feature of C. But here you have sometimes a set of a few lines
> that look like that they make no sense. Others write "optimized
> for reading" and I prefere that. Some programmers optimize for
> source(!!) size, and I think that decreases the relialability.

That may very well be and there are differences in the number of lines per
error between different coders, of course. But for every one of them, the
number of errors made increases with the number of lines they write, and be
it merely due to simple typos. That's what the rule says. It does not
compare one coder to another or one language to another.

> > > Hum, why UDP? IPSec uses protocol 50,51 IIRC.
> >
> > Why not use UDP? What is the advantage of dedicated IP
> protocols in this
> > context? Note that I'm not against either one, which you
> choose to use
> > depends on design considerations.
> Yes, why not use UDP, and why not use anything other. I don't
> think that this make a big difference.

Exactly. Yet you'd asked.

> Well, for me it's the same if you implement a protocol into UDP
> payload or in another IP protocol. Well, UDP offers ports and
> some things, but if you do not need them, why use UDP?

Because it's already there and it's easy to code client and server
components. There are more people that have experience writing UDP-capable
software than that using ESP or AH. And you can't just invent a new IP
protocol all by yourself.. Even if you could, it'd probably not be a very
good idea.

I'm not saying UDP is a better choice than ESP/AH, but for many coders, it's
the better choice because it's something they have (at least some)
experience with.

> > Having said all that, I don't know if I'd agree that you
> shouldn't use TCP
> > to build tunnels. No reasons are given, unfortunately.
> When you have protocols that do not need any packet, for instance
> a real-time monitor, then it's often better to drop packets
> (since they are obsoleted by successors) than to repeat them over
> wire and drop them in the target application. Well, same for
> video or voice streams. Better a short quality reduction as very
> high latency.

Yes, I know when UDP is favourable over TCP generally, I meant the VPN
situation specifically. In the meantime the original poster has given
reasons that I can agree with. And since a VPN strives to offer a virtual IP
connection, it makes sense to use a connectionless transport mechanism, as
IP doesn't provide connections either.


< Previous Next >