[ale] Why I Chose IPsec over OpenVPN (Was: Re: How to test your public internet connection for open ports)

Michael B. Trausch mike at trausch.us
Fri Feb 11 13:32:21 EST 2011


On Fri, 2011-02-11 at 13:14 -0500, Michael H. Warfield wrote:
> On Fri, 2011-02-11 at 12:33 -0500, Michael B. Trausch wrote: 
> > +1 point for routers that are managed via HTTPS with proper certificates
> > or via SSH, side-stepping this problem entirely... yet more proof that
> > security encompasses far more than just what the firewall is doing (or
> > not).
> 
> Very true.  But watch out for the ones with hard coded certificates (I'm
> sure there are lots still out there).

Hence the idea that the certificate support has to be proper.  Nothing
worse than a well-known cert (or host key!) that cannot be updated or
modified...

> > I still use SSH over the encrypted link, even though its redundant.
> > Mostly because I don't want to be bothered with a telnetd that just
> > listens on the private address, and the private addresses will be going
> > away at some point, to be replaced with iptables rules that implement
> > the required business-level policies.
> 
> User of SSH or stunnel and ssl as a true tunneled VPN is just a plain
> performance headache because it runs over TCP and all it's bookkeeping
> headaches and packet assembly and opportunistic windows and cruft.  Just
> compare OpenVPN over UDP vs OpenVPN over TCP.  You really don't want to
> run routed tunnels over TCP.

Indeed not.  I tried using the SSH support for tunneling a long time
ago, but I was very displeased with it.  And honestly, it was more
difficult to setup than it should have been.  AFAIK, it (is/was) not
really possible to do things like tell the SSH server to allow regular
user X to setup a layer 2 tunnel.  It requires that you have root on the
other side, which makes it pretty inconvenient to use for setting up a
tunnel on the fly.  (This could have changed since I looked at it; I
haven't bothered to check up on that, because honestly I don't care.  I
don't plan to ever use that functionality.)

I only use SSH for terminals, and *occasionally* a single port forward
if I need to connect to something on the remote net that I don't
otherwise have access to.  If I make connections frequently to that
network, I get it interconnected with my "virtual" network that I use
IPsec to secure the communication for.

> IPsec:
> - Cannot do over TCP (Cisco is about the only one I know that does)

Maybe I'm missing something, but why would you want to do that?  I mean,
you can do IP by sneakernet or carrier pigeon, too, but I wouldn't want
to... ;-)

> - Can be blocked at some sites (proto 50/51 and/or udp 500/4500)

Indeed.  Though I was very happy to see that RFC 6092 explicitly
recommends that IPsec be left untouched and permitted to pass.
Hopefully, vendors will take the recommendations from that as a default
configuration.

I for one would like to see (native) IPsec used much more than it is.

	--- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/be0db4d4/attachment-0001.bin 


More information about the Ale mailing list