SSH over UDP

Abstract

The SSH protocol provides many invaluable network features over encrypted channels. In version 4.3 of the OpenSSH implementation, VPN functionality is also supported, where actual IP packets from other applications are captured and tunneled via OpenSSH to the remote location. OpenSSH is using TCP consistently for all its network connections and thus for its VPN feature. This causes the VPN feature to tunnel one TCP connection within another TCP connection. Many sources say that TCP in TCP tunneling, under realistic conditions, can give rise to conflicts between the two TCP implementations and that TCP in TCP should be avoided. Many SSH and SSL VPN solutions use this functionality anyway and it seems to work. To see whether a UDP based solution would perform better than a TCP based solution on links experiencing packet loss, we have modified the OpenSSH implementation by adding support for a UDP base connection to its VPN functionality. The modification was tested and compared to the original implementation using a test network, in which packet loss was emulated. The performance of the implementations is compared in terms of bandwidth for different rates of packet loss. We have shown that a UDP based solution performs slightly better than a TCP based solution. The most gain in performance, from using a UDP base connection, was detected when ACKs belonging to the tunneled connection where lost.