[asterisk-users] New thread - SIP over VPN
Hans Witvliet
hwit at a-domani.nl
Sun Sep 27 07:30:12 CDT 2009
On Sat, 2009-09-26 at 22:47 -0700, Dave Platt wrote:
> >> Isn't an SSL based tunnel all TCP?
>
> There seems to be a good deal of feeling (and evidence) that
> trying to use TCP as the container for a tunnel is likely
> to cause more trouble than it solves. Yes, the TCP layer
> will make the tunnel "reliable" - but at the expense of
> adding unpredictable amounts of latency, due to TCP's
> built-in exponential-backoff retry timing. Things get
> *really* nasty if you try to wrap one TCP connection in
> another, because both connections will be independently
> retrying any lost or delayed packets - you'll end up
> retransmitting quite a bit more data than you would if
> you simply used TCP/IP (or TCP/IP wrapped in UDP/IP)
> and throughput will suffer.
>
That is the main reason why the widespread of (TCP) SSH-tunnels is
discouraged: as you get an TCP-protocol encapsulated in another
TCP-layer.
Missing frames will be corrected by the outermost TCP-protocal-suite,
however as soon as you got a bad-connection (Often wifi) and are
confronted with timeouts, re-transmissions will on make things worse.
and end-up with a snowball-effect.
So i would opt for ipsec-tunnel or openvpn with UDP.
If you have a rock-solid connection you could even use an openSSH-vpn
tunnel.
hw
More information about the asterisk-users
mailing list