OpenVPN TCP vs UDP

[Ben Scott]

On 7/12/07, Thomas Charron <twaffle at gmail.com> wrote:
> UDP is not bidirectional by nature.

  I'm not really sure what you think that proves.  IP is
connectionless, too.  But most application protocols *are*
bidirectional by nature, including just about every UDP protocol ever
invented, including DNS, NTP, BOOT/DHCP, SNMP, etc., etc., etc.

> People have used it in this manner because a long time ago Linksys ...

  Um, NAT was around long before LinkSys began selling cheap routers.

  UDP is no harder (or easier) to do dynamic NAT with than TCP is.  In
both cases, all you have to do is note the peer IP address and both
port numbers, and create a temporary forwarding rule.  Because TCP is
connection-oriented, you can also expire the rule when the connection
is closed, which is nice.  UDP does not give you that.  Otherwise, TCP
and UDP NAT is identical.  Heck, the field offsets for the port
numbers are the same; if you didn't worry about closing TCP earlier,
you could use the same code for both.

  Maybe you're thinking of stateless packet filter firewalls, a la
Linux 2.0.  Because TCP is connection-oriented, you can cheaply block
incoming TCP connection attempts by looking for the SYN bit.  No such
luck with UDP.

>   But generally, most home users *ARE* IWF users.  :-)

  IWF is generally reserved for people who go beyond mere ignorance.
It's especially used for those who panic every time their firewall
says it blocked an inbound connection.  For example, calling their ISP
abuse desk because of a traceroute.  It's also used for firewall
admins who do things like block all ICMP messages because "it's
dangerous", while allowing completely unrestricted TCP 80.

-- Ben