Hi,
On 01/11/17 19:37, Simon Deziel wrote:
On 2017-11-01 02:08 PM, Steffan Karger wrote:
On 01-11-17 17:16, Jan Just Keijser wrote:
On 29/10/17 02:49, Jason Haar wrote:
Best practice would be to routinely rotate secrets, to mitigate
configuration misuse/loss, etc.
Due to CAs, certificates already support that concept,
but tls-auth/tls-auth do not.
So wouldn't it be a good idea to allow tls-auth/tls-crypt to contain
multiple keys, so that the key could be rotated without an outage
(really like a "major upgrade"). i.e.
1. replace server key with one containing old + new
2. replace client config, replacing old key with new one
3. wait weeks/months (probably) until you know all clients are
reconfigured
4. replace server key with just the new one
5. rotation is now complete
someone else asked me a similar question just lately, so you're not the
only one facing this issue.
There is something to be said for such a replacement scheme, BUT to do
this properly would require an OpenVPN protocol change, IMHO; the
problem is that if you allow multiple tls-auth/tls-crypt keys that you
end up unhashing EVERY packet with EVERY key to see if there is a match.
This will kill performance; performance already takes quite a hit with
tls-auth set.
The first byte of an openvpn packet contains an opcode that indicates
whether a packet is a control channel packet or a data channel packet.
Only control channel packets are affected by tls-auth (or tls-crypt).
Data channel performance should be impacted by tls-auth.
Data channel performance should /not/ be impacted by tls-auth. :)
of course, Steffan and Simon are absolutely right - I've misread the docs+code
once more: Open mouth, Insert foot.
However, in my tests I have seen that data channel performance **IS** impacted
by tls-auth.
I've just repeated one test: 2 servers, connected via gigabit ethernet on a
quiet network.
OpenVPN 2.4.3 and OpenVPN 2.4.4 running:
Setup 1:
cipher aes-256-cbc
auth sha256
ncp-disable
Setup 2:
tls-auth /etc/openvpn/ta.key 0|1
cipher aes-256-cbc
auth sha256
ncp-disable
then run iperf over the tunnel.
In setup 1 I consistently get 244 +/- 4 Mbps
In setup 2 I consistently get 232 +/- 3 Mbps
So even though the impact is not enormous, there DOES seem to be an impact on
performance when using 'tls-auth' ...
I will dig into this deeper before the hackathon next week.
cheers,
JJK
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
