[CentOS] regarding vpn server for 1500 clients

Robert Moskowitz rgm at htt-consult.com
Fri Dec 19 19:56:39 UTC 2008

Les Mikesell wrote:
> Robert Moskowitz wrote:
>>>>>> How about lots of GRE tunnels? :-)
>>>>> I've done that with a few connections - mostly connecting to Cisco 
>>>>> routers to pass multicast streams.  I'm not sure how it would scale up 
>>>>> in terms of the interface numbers and managing routes but it should work.
>>>> What was the network environment like that the tunnels went over?
>>> Some over the internet, some private, but always with fixed src/dest 
>>> addresses and nothing going over them that couldn't have run unencrypted 
>>> over the internet.
>> RED (Random Early Discard) was specifically developed and deployed to 
>> break flows that lacked congestion control. CeeUceeME was the big 
>> culprit at the time. Multicast streams could have a lot of data lose if 
>> RED is needed to manage congestion.
> Where would this happen - and would it happen to the encapsulating GRE 
> packets or just bare udp multicast?

Any router could employ RED in a congestion situation. The buffer 
reaches n% full and m randomly selected packets in the buffer are 
silently dropped. The buffer is compressed and the router gets on with 
its life. This is better than the router stopping receiving incoming 
packets until its buffer empties a bit.

A protocol that has flow control, like TCP will deal with the packet 
loss. A couple packets will not disrupt an audio stream. But if the 
protocol is going gangbusters and just tossing out packets as fast as it 
can, then it could have a LOT of packets tossed out at the congested 
router, and BAM, the protocol breaks.

Back when Tony Li coded it for the backbone Cisco routers and it was 
deployed overnight with no testing (those were the Internet days), the 
CeeUceeMe programmers over at CMU refused to implement any flow control. 
It had gotten so bad, that the EU nets were ready to put a block on its 
protocol number. Then someone thought up RED, Tony coded it up, and all 
those CeeUCeeMe streams broke. The programmers at CMU finally got it....

A little Internet history there.....

So any UDP protocol that does not implement flow control can suffer big 
time. On a SIP call, you might see it as your voice breaking up like a 
cell call in a 'bad' area. Or with video it could be an image freeze.

GRE just sometimes would mess up a protocol's reaction to congestion 
that it was a worst response. Of course, this was 10 years ago, and lots 
of apps are much smarter. But some programmers still develop on a local 
LAN and expect to see the same dynamics on the broader Internet....

More information about the CentOS mailing list