[Spread-users] Tunnels

Mark Anacker manacker at lizardtech.com
Thu Jan 10 12:01:36 EST 2002

>I understand how that works.  It gets sent of an IP link... IPSEC 
>provides a secure IP layer.  TCP/IP.. UDP/IP.. call it whatever suits 
>you.  That is exactly what happens in my set up.  I can do 100Mbs solid 
>between my VPNs (encrypted).  They are dedicated hardware devices.  
>Their real IP addresses are firewalled so that they can only see each 
>other only are only visible to each other.

>The latency involved when encrypting the packets and encapsulating in a 
>new IP frame is negligible compared the latency between my sites.

Nice, but a bit expensive for my home networks.

>Tunneling things over ssh is SLOW unless you have a hardware card 
>supported by openssl and utilize that.  Besides, you machine is busy 
>doing other things and shouldn't be bogged down with encryption. Spread 
>is pretty CPU hungry when you start pushing heavy traffic.

I've never noticed a performance problem with SSH, and I usually have
sessions going at once.  The firewall/proxy box *is* a dedicated Linux
but I'll swamp the net bandwidth before I bog the machine down.

>As for administrating yet another configuration...  Your network admin 
>should be responsible for that.  If you are the network admin -- its 
>your job ;-)  Basically, my opinion is that you need a solution or you 
>don't.  The IPSEC solution that I use is probably the most cost 
>effective solution for my needs.  UDP and TCP have little bearing on the

No, software design is my *job* - maintaining this network was supposed to
a *hobby* :-)  I've been a network admin, and believe me, the family is a
more demanding user base than any bunch of cubicle dwellers.  Not only do
demand 24/7 support, but they know where I live :-)

No, the reasons I wanted a TCP tunneling mechanism are:

- it lets me cheaply, securely distribute spread segments
- it's built into spread, so no extra stuff is required (apart from the
tunneling mechanism)
- it works on any platform spread does, including Windows, without OS

I think I'll go wander through the code and see what I can come up with.

More information about the Spread-users mailing list