Hi, On Fri, Aug 24, 2018 at 01:11:44PM +0200, Arne Schwabe wrote: > On top of that, a lot of the traffic that the VPN carry today is either > already compressed or encrypted and cannot be compressed any more. So > benefits are diminishing.
This part is true for the "I use a VPN to safely surf the web" use
cases, but not for all cases where OpenVPN is used today. So please do
not make this a "we can stop using compression because it has no benefit
anyway" argument.
[..]
> So my proposal for OpenVPN is:
>
> - Introduce compress-direction asym|full This will control if we
> actively try to compress or just allow receiving of compressed packets
> - change the default mode to be asymmetrical.
> - If compress-direction is missing from the config but comp-lzo/compress
> are present inform the user "WARN: Compression mode set to assymetrical
> to avoid VORACLE like attacks. See the man page on compress-direction
> for more details".
I can live with that, though.
In cases where you know you have compressible data (because not everything
inside the VPN is "https"), and you trust the endpoints ("LAN to LAN", or
"VPN client to corporate servers only") compression can be turned on, but
the default for unsuspecting users is "safe".
> Open Points:
>
> - Gert strongly thinks that some people might want to continue having
> full compression despite the risks. I think it is reasonable to expect
> them to add 'compress-direction full' and push "compress-direction full"
> to the server configuration, so touching clients is not needed.
Agree.
(To repeat my main argument here, for the sake of the archives: OpenVPN
2.x is a toolbox that suits many different purposes. One of them is
"make web surfing for clients safe, via VPN service providers" - this
is an important purpose, and making OpenVPN robust against malicious
software on the client is an important goal. But I am convinced that
OpenVPN 2.x has much bigger usefulness than this, and so we should not
only look at possible code changes and "stop users from shooting their
own feet" from this particular angle. More blunt: follow the unix
matra - "do not stop people from doing stupid stuff, because that would
also stop them from doing smart stuff")
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
