Date: Sun, 13 Dec 1998 19:47:48 -0500 From: "Jim Flowers" <jflowers@ezo.net> To: "Hal Snyder" <hal@enteract.com> Cc: <skip-info@skip.org>, <freebsd-questions@FreeBSD.ORG> Subject: Re: SKIP behind NAT with single-homed skiphost Message-ID: <001401be26fb$5f91f3c0$848266ce@crocus.ezo.net>
next in thread | raw e-mail | index | archive | help
-----Original Message----- From: Hal Snyder <hal@enteract.com> To: Jim Flowers <jflowers@ezo.net> Date: Sunday, December 13, 1998 5:15 PM Subject: Re: SKIP behind NAT with single-homed skiphost >I don't have a solution to Jim Flowers' question, just more questions >and comments. > >1. Routing, where the same network is source and destination as in S1 > and S2 below, makes me uncomfortable. Doesn't that risk an > inordinately high collision rate? It certainly at least halves > effective bandwidth of the network. Or does this not matter because > the WAN link is slow compared to the data rate on network 2? Nope, works great and you've got the right answer. Even 10Mbps/2 is large compared to 1.5 Mbps (T-1). Does seem to be some packet processing overhead but I haven't measured it because most of my VPN's are sub-T1. > >2. Why is the *tunnel* slow? If this is an admission that SKIP > significantly reduces your available bandwidth (other than by #1 on > this particular setup) are there estimates on this? [FWIW, I've > seen AltaVista Tunnel VPN software apparently reduce available > bandwidth by 75% due to CPU load on a) a 100MHz pentium system > running Windows 95 AVT client into a 33Kbps line and b) a 200MHz > system running NT Server with AVT server into a T1.] I refer to the tunnel as slow only relatively, because at the parent end it is restricted by a a T-1 and my local connection is a 10Mbps cable modem. > >3. If Jim's idea of extending NAT to cover protocol 57 is sound, then > it should give FreeBSD systems the ability to NAT PPTP if we do the > same for GRE (protocol 47). I'm thinking about this. Before I posted, I hacked natd to recognize SKIP as IP protocol 57 but quit when a called program didn't appreciate a protocol that wasn't TCP or UDP. Probably not a significant job for someone that knows what they are doing. > >4. I read recently that IPSec is available for FreeBSD. Is there a > long term future for SKIP, or will it be superseded sometime soon? It's only my opinion, but IPSec implemented in a general and interoperable \ way over IPv6 or IPv4 for encrypted tunneling is in trouble right now due to the recent Wassenaur signings. I elected to use SKIP a year ago as the only real symmetrical key system in widespread operation anticipating about a 2 year life. Now I think more like 5 years. > >5. IIRC, the underlying crypto for FreeBSD SKIP traffic is RC4-40. How > secure is this? I don't use the RC4-40, I use MD5 DES-CBC and DES-EDE-K3 as appropriate. With 2048 kb keys and 30 sec / 512kB changes, I think it's pretty secure. > >6. The ASCII art was munged. I've guessed at its reconstruction. Always a problem with W95 clients only capable of variable pitch font renditions. Unfortunately monospaced fonts look terrible on W95 too. I think you got the concepts correct. The real point is the single interface at one end and the natd translation at the other. Jim > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001401be26fb$5f91f3c0$848266ce>