George Michaelson wrote:
>
>
> Its very unfair to comment or critique from a sketchy reading
> but I'm drawn to the issue of double ip-in-ip wrapping. My
> experience of running VPN over 10/34Mb bandwidth is that with
> the current FreeBSD technology I can't exceed 2mbit bandwidth
> in the VPN, using blowfish-cbc. I also suffer pretty severe
> fragmentation issues with some protocols. Mbone is fine, netmeeting
> isn't. telnet is fine, web is fine, NFS isn't.
I take this as more of a criticsm of IPsec; we didn't invent
that, we just use it. The double-wrapping is IPIP; the IPsec
stuff happens only once for the overlay. Our measurements
of IPIP decapsulation overheads are measureable (10% or so
on 200 Mhz P-II's), but not too bad. It's a trade-off -
for that performance penalty, you get dynamically-deployed networks.
Fragmentation may occur; we're looking into whether
(and to what extent) PMTU fixes that.
>
> Don't you find that excess IPSEC wraps cost you severely? Maybe
> I'm confusing architectural must-haves with operational issues.
As above, we do IPsec once. The web pages explain the
double-wrap in more detail:
http://www.isi.edu/x-bone/tunneling.html
FWIW...
Joe
This archive was generated by hypermail 2b29 : Thu Nov 18 2004 - 11:21:27 MST