Openvpn is actually detectable apart from regular ssl web servers because while SSL is always authenticated, the very beginning of the session is not encrypted, and handshake parameters will reveal the certificate issuer, and use and such. If a bad guy tried go mangle any of it, it would be detected because it's all signed, but it's clear, and that's how deep packet inspection IDS systems can tell https apart from ssh on port 443 and openvpn on port 443. IPSEC for one purpose though would look identical to IPSEC for any other purpose. It also encapsulates layer 4 stuff, so a bad guy can't manipulate window sizes and send RST packets to DoS your connection. In this sense, IPSEC would have prevented comcast from attacking their p2p using customers.
Even sneakier VPN systems include ones that tunnel the data through ICMP echo and echo reply packets, and ones that tunnel using DNS queries and responses. While I've never set either of those up, I imagine they are quite slow. I know the former requires some invasive kernel patch as well.
On Mon, Jul 28, 2008 at 14:08, Bradley Hook bhook@kssb.net wrote:
IPSec is very difficult to setup and extremely easy to break. It's easy to end up locking yourself out of remote systems too.
The nice thing about OpenVPN is that you can configure it to do all sorts of sneaky stuff. You could always configure your OpenVPN to run TCP over port 443 (HTTPS), which your ISP would have an awful time trying to block. IPSec wont give you that kind of flexibility, and when your ISP starts seeing those kind of weird packets they are likely to start filtering them.
IPSec is awesome when you have control over all or most of a network, and want the traffic to be extremely secure. When you start routing it over the public Internet, you can expect problems.
~Bradley
Billy Crook wrote:
Nor am I. But I know that it is valiable as a module in ddwrt and openwrt, so it is likely also avaliable on tomato, and for the common "router" architectures.
I probably shouldn't have overlooked IPSEC. While significantly more difficult to set up, it works at a lower layer of the stack, and is thus harder to make sense of. Assuming the ISP's tampering works in a default-allow, tamper-by-list setup, IPSEC may work as well as anything else.
On Mon, Jul 28, 2008 at 13:42, Bradley Hook bhook@kssb.net wrote:
OpenVPN seems fairly flexible and is cross platform. Not sure about which CPU architectures it has been ported to though.
~Bradley
Sean Crago wrote:
My DSL provider with the DNS masquerading and Squid transparent proxy is feeding me all sorts of bad DNS information. I think I need to move to the VPN option temporarily. Anyone have any advice on a basic, easy to configure VPN solution? Support by Tomato firmware (a DD-WRT like replacement) to allow my wife's Windows box access and to allow access from my Internet Tablet is deeply desired.
Thanks, Sean Crago _______________________________________________ Kclug mailing list Kclug@kclug.org http://kclug.org/mailman/listinfo/kclug
Kclug mailing list Kclug@kclug.org http://kclug.org/mailman/listinfo/kclug
On Monday 28 July 2008, Billy Crook wrote:
Even sneakier VPN systems include ones that tunnel the data through ICMP echo and echo reply packets, and ones that tunnel using DNS queries and responses. While I've never set either of those up, I imagine they are quite slow. I know the former requires some invasive kernel patch as well.
Not so much slow as unreliable... to the point of being mostly useless.
-
Billy Crook -
Luke -Jr