[stunnel-users] UDP End-points

Les Niles lesniles at narus.com
Wed Nov 3 22:18:37 CET 2004


Pardon my ignorance, but why not run PPP over stunnel and 
then UDP over that?  No new encapsulation to invent.  
Performance would be lousy, so it would be stupid to use 
for some streaming media protocol, but for low-bandwidth 
UDP-based protocols like NTP, DNS, RADIUS, etc. it might 
well be useful.

  -les

-----Original Message-----
From: stunnel-users-bounces at mirt.net On Behalf Of Michal Trojnara
Subject: Re: [stunnel-users] UDP End-points

Leigh,

> Perhaps I wasn't quite as clear as I intended.. :)
> I'm not suggesting that SSL over UDP should be done.. I'm suggesting
> that stunnel could potentially act as a UDP-over-encrypted-TCP
> gateway.

Okay.  Now I understand your idea (I hope).  I would have to design a 
propriatary datagram-over-byte-stream (DOBS) protocol (at least length of 
UDP packets has to be encoded aside from the content), and then tunnel UDP 
over DOBS over SSL over TCP.

This is why I don't like it:
1. Such tunneling is not very effective.  There's a *huge* protocol 
overhead.
2. It's not standard.  One of the main ideas behind stunnel is its 
interoperability.
3. I think it's much easier to write such encrypting UDP forwarder from 
scratch using IPSec-style datagram protocol, than to modify stunnel.
4. It breaks my KISS principle.  8-)

In fact I would really like to find a time (or a sponsor) to develop such 
UDP encrypting forwarder.

BTW: Maybe it's better to use IPSec or VTUN instead of a proxy?

Best regards,
    Mike 



More information about the stunnel-users mailing list