Hi, On Fri, Aug 24, 2018 at 01:11:44PM +0200, Arne Schwabe wrote: > On top of that, a lot of the traffic that the VPN carry today is either > already compressed or encrypted and cannot be compressed any more. So > benefits are diminishing.
This part is true for the "I use a VPN to safely surf the web" use cases, but not for all cases where OpenVPN is used today. So please do not make this a "we can stop using compression because it has no benefit anyway" argument. [..] > So my proposal for OpenVPN is: > > - Introduce compress-direction asym|full This will control if we > actively try to compress or just allow receiving of compressed packets > - change the default mode to be asymmetrical. > - If compress-direction is missing from the config but comp-lzo/compress > are present inform the user "WARN: Compression mode set to assymetrical > to avoid VORACLE like attacks. See the man page on compress-direction > for more details". I can live with that, though. In cases where you know you have compressible data (because not everything inside the VPN is "https"), and you trust the endpoints ("LAN to LAN", or "VPN client to corporate servers only") compression can be turned on, but the default for unsuspecting users is "safe". > Open Points: > > - Gert strongly thinks that some people might want to continue having > full compression despite the risks. I think it is reasonable to expect > them to add 'compress-direction full' and push "compress-direction full" > to the server configuration, so touching clients is not needed. Agree. (To repeat my main argument here, for the sake of the archives: OpenVPN 2.x is a toolbox that suits many different purposes. One of them is "make web surfing for clients safe, via VPN service providers" - this is an important purpose, and making OpenVPN robust against malicious software on the client is an important goal. But I am convinced that OpenVPN 2.x has much bigger usefulness than this, and so we should not only look at possible code changes and "stop users from shooting their own feet" from this particular angle. More blunt: follow the unix matra - "do not stop people from doing stupid stuff, because that would also stop them from doing smart stuff") gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel