[pptp-server] PPTP masquerade && MS non-compliance

Allan Clark allanc at caldera.com
Fri Jun 22 14:20:17 CDT 2001


Jamin;


You're shifting the overhead from the RAM to the CPU


Jamin Collins wrote:
> Charlie Brady [mailto:charlieb at e-smith.com] wrote:
> > > We need to consider not just whether someone else did something,
> > > but whether it is the right thing to do.  For me, it's simple,
> > > it's not the right thing to do.
> >
> > Perhaps you could explain. Supporting multiple concurrent masqueraded
> > connections to the same destination would add value to the
> > users. Can it be done? Can it be done reliably?
> 
> First, what are good reasons to have multiple connections to the same
> destination?  Second, each connection has overhead associated with it, on
> both ends.  Thus, two client machines routed through a single VPN connection
> to a remote network has a better through put to overhead ratio than both
> clients making their own connections.  

Your solution requires the interposing box, the masquerade box, to
actually interpret and aggregate the state-changes of each hidden
connection into its single control channel, which itself could be
aggregated by another system down the line.

This requires the masquerade system to understand the full state-machine
for the PPTP connection/disconnection/exception-handling.  That's quite
a bit to put into a proxying system that normally proxies at a lower OSI
layer than what you're suggesting.  You're converting the IP Masquerade
from the symplicity of a routing bridge to the complexiting of a
boundary gateway (unpacks and re-packs packets, may convert format).

The engineering effort to make this happen would be incredible.

Don't forget that it costs processor cycles to unpack, interpret, and
rebuild packets.  You're shifting the overhead from the RAM to the CPU.

Allan



More information about the pptp-server mailing list