Gert Doering wrote:
> Hi,
>
> On Mon, Nov 30, 2015 at 09:54:32PM +1300, Jason Haar wrote:
>
>> eg, if there's no UDP error checking built into openvpn, then shouldn't
>> DNS lookups (ie udp inside a udp openvpn tunnel) fail a lot? Or is the
>> Internet generally so reliable that it doesn't matter? (eg 1% packet
>> loss on Internet leads to 1% packet loss inside openvpn tunnel?)
>>
>
> This is how it is: if you have packet loss outside, you have packet loss
> inside the tunnel as well - for good reason, OpenVPN does not add a
> reliability layer here, because we have one: TCP.
>
> If a DNS query gets lost, DNS knows how to retransmit - and this is how
> layering is supposed to work.
>
> Imagine doing real-time audio over OpenVPN. If a packet gets lost, you
> hear a bit of noise, but then the stream goes on. If the lower layers
> do retransmission, the stream will stop until the missing packet has been
> retransmitted, and then you're out of sync... what now?
>
>
I agree with both you and Steffan but there *is* an interesting tidbit
in the OpenVPN manual page:
In this sense, it could be argued that TCP tunnel
transport is preferred when tunneling non-IP
or UDP application protocols which might be vulnerable
to a message deletion or reordering
attack which falls within the normal operational
parameters of IP networks.
So I would make the statement that one should never tunnel
a non-IP protocol or UDP applica-
tion protocol over UDP, if the protocol might be
vulnerable to a message deletion or reorder-
ing attack that falls within the normal operating
parameters of what is to be expected from
the physical IP layer. The problem is easily fixed by
simply using TCP as the VPN transport
layer.
(in the section --replay-window)
In general, however, one should run OpenVPN over UDP wherever possible,
as a TCP-over-TCP penalty is far worse than a UDP-over-UDP
penalty/reordering attack.
JM2CW,
JJK
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
