In article <[EMAIL PROTECTED]>, Antony Stone <[EMAIL PROTECTED]> wrote: >3. However, if you want something simpler and easier, which still provides >you with an encrypted tunnel, take a look at running PPP through an SSH link >- it's a very simple idea which works well, and is pretty flexible about what >you can shovel down the link. > >http://www.linuxdoc.org/HOWTO/mini/ppp-ssh
PPP over SSH (or any solution that involves nesting one TCP session inside another TCP session) is a really bad idea, especially if there is any kind of packet loss involved--you might find yourself asking "Why do I need an OC3 feed to get a link slower than a 9600 bps modem on a noisy line?" among other problems. TCP *relies* on packet loss and predictable latency in order to optimize itself for available bandwidth, and TCP running on top of another TCP will defeat the algorithms TCP uses. Your PPP over SSH link *will* get slower and slower until it crashes every time you try to use it to move any non-trivial amount of data. Even IP-over-HTTP (i.e. one HTTP 1.1 request per packet, with keepalives and a very short timeout) is better than PPP-over-SSH. CIPE is a nice simple stand-alone kernel module which packages IP inside encrypted UDP packets. There are relatively few knobs to tweak, it acts just like any other network interface, and the code has been mostly stable for years now. You get behavior equivalent to what you would get with a straight IP connection, except for a few percent of overhead per packet. It's a nice solution for people who don't want to know how to configure IPSec. -- Zygo Blaxell (Laptop) <[EMAIL PROTECTED]> GPG = D13D 6651 F446 9787 600B AD1E CCF3 6F93 2823 44AD
