> > I'm actually *more* interested in the potential for incompatibilities
> > if we start setting the TOS bits — as we saw with stupid firewalls
> > dropping packets when ECN was in use. That sounds like a much more
> > reasonable argument for not doing --passtos by default, although even
> >
On 26 Oct 2015 00:44, "David Woodhouse" wrote:
>
> On Mon, 2015-10-26 at 00:15 +0100, Steffan Karger wrote:
> > On Mon, Oct 26, 2015 at 12:09 AM, Steffan Karger
wrote:
> > > For
> > > covert channels, it means 23 possible values per 1500-byte packet, or
>
On Mon, 2015-10-26 at 00:15 +0100, Steffan Karger wrote:
> On Mon, Oct 26, 2015 at 12:09 AM, Steffan Karger wrote:
> > For
> > covert channels, it means 23 possible values per 1500-byte packet, or
> > ~5 bits for BF, and 12 possible values (~4 bits) for AES-CBC. That is
> >
On Mon, Oct 26, 2015 at 12:09 AM, Steffan Karger wrote:
> For
> covert channels, it means 23 possible values per 1500-byte packet, or
> ~5 bits for BF, and 12 possible values (~4 bits) for AES-CBC. That is
> still less than the 8 bits QoS/ToS.
Grmbl, at the moment I hit send I
Hi,
On Fri, Oct 23, 2015 at 12:49 PM, David Woodhouse wrote:
> I prefer to remain consistent with OpenVPN and other tools where
> possible, so we've renamed the option to '--passtos' and my first
> reaction was to disable it by default, like OpenVPN does.
>
> Looking at it
Since I seem to have accidentally come out of lurk mode anyway...
Someone has submitted a patch for OpenConnect¹ to implement something
very much like OpenVPN's --passtos option.
I prefer to remain consistent with OpenVPN and other tools where
possible, so we've renamed the option to