Hi,
On 07/11/18 16:53, Pieter Hulshoff wrote:
Hello Jan,
2018-11-07 16:22 GMT+01:00 Jan Just Keijser <[email protected]
<mailto:[email protected]>>:
The MTU is NOT adjusted for the IP address inside or outside the
tunnel: the IP address inside the tunnel is part of the payload
and the outside IP address is not included in the MTU at all. It
would mean that the MTU is also dependent on whether IPv6 traffic
is tunneled or not...
You're probably right with regards to tun-mtu vs link-mtu, but my
numbers focused on the amount of data added to each packet, in which
case the IP and UDP header should be included. The question is
basically: if I encrypt a 64 byte packet, what will the size of my
encrypted packet be. This can be rather important with regards to
theoretical maximum throughput (which we're aiming towards achieving
of course).
Do you by chance know how the 8 byte HMAC key part of the IV is
determined?
if you're talking about the GCM implicit IV, then have a look at ssl.c ,
function generate_key_expansion().
It contains the following:
/* Initialize implicit IVs */
key_ctx_update_implicit_iv(&key->encrypt, key2.keys[(int)server].hmac,
MAX_HMAC_KEY_LENGTH);
key_ctx_update_implicit_iv(&key->decrypt, key2.keys[1-(int)server].hmac,
MAX_HMAC_KEY_LENGTH);
ret = true;
[...]
}
static void
key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t
key_len)
{
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
/* Only use implicit IV in AEAD cipher mode, where HMAC key is not
used */
if (cipher_kt_mode_aead(cipher_kt))
{
size_t impl_iv_len = 0;
ASSERT(cipher_kt_iv_size(cipher_kt) >= OPENVPN_AEAD_MIN_IV_LEN);
impl_iv_len = cipher_kt_iv_size(cipher_kt) -
sizeof(packet_id_type);
ASSERT(impl_iv_len <= OPENVPN_MAX_IV_LENGTH);
ASSERT(impl_iv_len <= key_len);
memcpy(ctx->implicit_iv, key, impl_iv_len);
ctx->implicit_iv_len = impl_iv_len;
}
}
which - apart from casting the boolean 'server' to an integer and then
performing things like (1-int(server)) - is fairly straightforward.
AFAICT the IV is set as 4 byte PacketID + first 8 bytes of the
encryption and decryption keys.
I hope that Steffan can shed more of an authorative light on this :)
hth,
JJK
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
