[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] tcp over tcp with udp problem?

  • Subject: Re: [Openvpn-users] tcp over tcp with udp problem?
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Thu, 6 Nov 2003 17:19:42 -0000
Michael Hale <michaelh@xxxxxxxxxxxxxxxx> said:

> 
> On Nov 5, 2003, at 6:03 PM, James Yonan wrote:
> 
> > Michael Hale <michaelh@xxxxxxxxxxxxxxxx> said:
> >
> >> Hi I was wondering if the way openvpn is implemented, if it suffers
> >> from the problem of tcp running over tcp
> >> (http://sites.inka.de/sites/bigred/devel/tcp-tcp.html)?  It seems like
> >> running with the udp connection would solve this problem, but I wanted
> >> to ask the people who wrote this software explicitly just to make sure
> >> ;-)
> >
> > As a tunnel transport, UDP is almost always a better choice from a 
> > performance
> > perspective, though TCP can work reasonably well if the network is not
> > congested.  As the network becomes more congested and the percentage of
> > dropped packets goes up, a TCP tunnel's performance will drop off more 
> > sharply
> > than a UDP tunnel, because of the reliability layer collision which is 
> > cited
> > in the article.
> Could  you describe the structure of the UDP packets that get sent 
> across?  Specifically I am interested in how connections are maintained 
> across the UDP-SSL tunnel, since UDP does not offer guarantee of 
> delivery.

OpenVPN multiplexes the TLS/SSL session used for authentication and key
exchange with the actual encrypted tunnel data stream.  OpenVPN provides the
TLS/SSL connection with a reliable transport layer (as it is designed to
operate over).  The actual IP packets, after being encrypted and signed with
an HMAC, are tunnelled over UDP.

SSL/TLS -> Reliability Layer -> \
                                 \
                                  \ 
                                   > Multiplexer ----> UDP
                                  /                    Transport
IP        Encrypt and Sign       /
Tunnel -> using OpenSSL EVP --> /
Packets   interface (*).


* 4 Symmetric keys are exchanged over the TLS session (client -> server
cipher, client -> server HMAC, server -> client cipher, server -> client
HMAC).  The IP tunnel packets are secured using explicit IV, an anti-replay
sequence number, and Encrypt-then-HMAC.  Block padding is provided by the
OpenSSL EVP layer.

James


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users