> Hi,
>
> our setup needs openvpn UDP/TLS tunnels with dynamic client IP addresses, so
> I implemented a fix for the bug #49 that has been open for over two years.
>
> The patch is for version 2.2.2 as I had trouble compiling the 2.3.x tarball
> from openvpn.net. As the solution is rather simple (just two small utility
> functions in mudp.c) I'd guess it could be comfortambly migrated to 2.3.x.
>
> Basically what the fix does is the following: incoming data channel UDP
> packets from an unknown IP are matched against existing UDP/TLS sessions, and
> if the packet passes the HMAC authentication against an existing TLS context
> we know the client IP has changed and the session state will be instantly
> updated accordingly.
>
> I have tested this fix to some extent, and the IP handover works impressively
> smoothly in my test setup where I randomly switch between two routes from
> client to server.
>
> Dynamic client IP's are enabled/disabled with --float in the server side.
>
> Please feel free to contact me for any questions etc.
This is not a full review of the patch, just a few quick remarks.
This patch seems to do (number of tunnels) HMAC's for any packet received from
an unknown IP. If this is correct, couldn't a server with a couple thousand
tunnels be brought just by sending it a few hundred packets a second?
authenticate_tls_packet() contains a for() loop, but I see no code path that
actually loops - everything seems to return immediately?
memcmp() should be replaced by a constant-time function to prevent timing
attacks (probably only realistic on a server with a single tunnel); even then,
this patch allows determining the (approximate) number of tunnels in use by
looking at processing time.
I haven't looked at how this interacts with other features; it's at least
noteworthy that the floating behavior can't be specified on a per-connection
basis.
Joachim
