On Fri, Aug 24, 2018 at 01:11:44PM +0200, Arne Schwabe wrote:
> On top of that, a lot of the traffic that the VPN carry today is either
> already compressed or encrypted and cannot be compressed any more. So
> benefits are diminishing.

This part is true for the "I use a VPN to safely surf the web" use
cases, but not for all cases where OpenVPN is used today.  So please do
not make this a "we can stop using compression because it has no benefit
anyway" argument.

> So my proposal for OpenVPN is:
> - Introduce compress-direction asym|full This will control if we
> actively try to compress or just allow receiving of compressed packets
> - change the default mode to be asymmetrical.
> - If compress-direction is missing from the config but comp-lzo/compress
> are present inform the user "WARN: Compression mode set to assymetrical
> to avoid VORACLE like attacks. See the man page on compress-direction
> for more details".

I can live with that, though.  

In cases where you know you have compressible data (because not everything 
inside the VPN is "https"), and you trust the endpoints ("LAN to LAN", or
"VPN client to corporate servers only") compression can be turned on, but 
the default for unsuspecting users is "safe".

> Open Points:
> - Gert strongly thinks that some people might want to continue having
> full compression despite the risks. I think it is reasonable to expect
> them to add 'compress-direction full' and push "compress-direction full"
>  to the server configuration, so touching clients is not needed.


(To repeat my main argument here, for the sake of the archives: OpenVPN
2.x is a toolbox that suits many different purposes.  One of them is 
"make web surfing for clients safe, via VPN service providers" - this
is an important purpose, and making OpenVPN robust against malicious
software on the client is an important goal.  But I am convinced that 
OpenVPN 2.x has much bigger usefulness than this, and so we should not
only look at possible code changes and "stop users from shooting their
own feet" from this particular angle.  More blunt: follow the unix
matra - "do not stop people from doing stupid stuff, because that would
also stop them from doing smart stuff")


"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-devel mailing list

Reply via email to