Is "TCP over TCP" a good idea?
Though many other VPN implementations adopt a "TCP over TCP"
solution, Rockhopper basically supports the idea that
"Why TCP Over TCP Is A Bad Idea."
-
Duplicated
TCP processing is done for each TCP packet, such as Flow control,
Retransmission and Congestion control. There is the possibility that
unpredictable trouble with the TCP session occurs in terms of performance.
-
In general, TCP is not very appropriate for real-time traffic.
-
Although
it depends on the VPN implementations, datagram packets, for which
reliability is not necessary, may be also serialized and queued in TCP stack for tunneling while the tunneled packets are
being retransmitted or many TCP sessions may be consumed both for
tunneling and for upper applications.
-
VPN
implementations adopting a "TCP over TCP" method do not
protect TCP Layer itself. Recently, many vulnerabilities of the
TCP layer, which may be potentially used by DoS and DDoS attacks, have
been discovered.
-
Is it really true that transparency for
Firewalls like a SSL-VPN solution is comfortable for security
administrators?
See also "
Understanding TCP over TCP: Effects of TCP Tunneling on End-to-End Throughput and Latency" (PDF) for useful analysis based on simulation experiments.