Re: [Openvpn-devel] [RFC] --passtos default on/off, and IPv6.

> > I'm actually *more* interested in the potential for incompatibilities > > if we start setting the TOS bits — as we saw with stupid firewalls > > dropping packets when ECN was in use. That sounds like a much more > > reasonable argument for not doing --passtos by default, although even > >

Re: [Openvpn-devel] [RFC] --passtos default on/off, and IPv6.

On 26 Oct 2015 00:44, "David Woodhouse" wrote: > > On Mon, 2015-10-26 at 00:15 +0100, Steffan Karger wrote: > > On Mon, Oct 26, 2015 at 12:09 AM, Steffan Karger wrote: > > > For > > > covert channels, it means 23 possible values per 1500-byte packet, or >

Re: [Openvpn-devel] [RFC] --passtos default on/off, and IPv6.

On Mon, 2015-10-26 at 00:15 +0100, Steffan Karger wrote: > On Mon, Oct 26, 2015 at 12:09 AM, Steffan Karger wrote: > > For > > covert channels, it means 23 possible values per 1500-byte packet, or > > ~5 bits for BF, and 12 possible values (~4 bits) for AES-CBC. That is > >

Re: [Openvpn-devel] [RFC] --passtos default on/off, and IPv6.

On Mon, Oct 26, 2015 at 12:09 AM, Steffan Karger wrote: > For > covert channels, it means 23 possible values per 1500-byte packet, or > ~5 bits for BF, and 12 possible values (~4 bits) for AES-CBC. That is > still less than the 8 bits QoS/ToS. Grmbl, at the moment I hit send I

Re: [Openvpn-devel] [RFC] --passtos default on/off, and IPv6.

Hi, On Fri, Oct 23, 2015 at 12:49 PM, David Woodhouse wrote: > I prefer to remain consistent with OpenVPN and other tools where > possible, so we've renamed the option to '--passtos' and my first > reaction was to disable it by default, like OpenVPN does. > > Looking at it

[Openvpn-devel] [RFC] --passtos default on/off, and IPv6.

Since I seem to have accidentally come out of lurk mode anyway... Someone has submitted a patch for OpenConnect¹ to implement something very much like OpenVPN's --passtos option. I prefer to remain consistent with OpenVPN and other tools where possible, so we've renamed the option to