Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 14:49, David Sommerseth wrote: > On 06/04/17 15:37, debbie10t wrote: >> Company A has 1,000 vpn users and (for what ever reason) they reboot >> the server every 24 hours. They experience the slow down because all >> their vpn users are permanently connected. They all connect at

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 15:37, debbie10t wrote: > Company A has 1,000 vpn users and (for what ever reason) they reboot > the server every 24 hours. They experience the slow down because all > their vpn users are permanently connected. They all connect at once. > This patch is not trying to address the

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> > > On 06/04/17 12:52, Steffan Karger wrote: >> Hi, >> >> On 6 April 2017 at 12:26, David Sommerseth >> wrote: >>> On 06/04/17 11:45, Simon Matter wrote: > I like Arne's and David's suggestion - the existing option "as is" > will > enable X%

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 14:05, Gert Doering wrote: > Hi, > > On Thu, Apr 06, 2017 at 01:49:04PM +0100, debbie10t wrote: >> As you can see, the current proposal does not allow for first random, >> followed by expected/normal/regular renegs. It is either *always* random >> or *never* random .. I believe this

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> Web servers these days are also multi-threaded (or "multi-forked"), so > they can utilize multiple cores more efficiently. OpenVPN is *single > threaded*. So when one client starts a TLS renegotiation, it blocks all > the other connected clients until the renegotiation have completed. > When

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 14:49, debbie10t wrote: > > As you can see, the current proposal does not allow for first random, > followed by expected/normal/regular renegs. It is either *always* random > or *never* random .. I believe this is a poor decision. Even though I see arguments for first-only, I have no

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Hi, On Thu, Apr 06, 2017 at 01:49:04PM +0100, debbie10t wrote: > As you can see, the current proposal does not allow for first random, > followed by expected/normal/regular renegs. It is either *always* random > or *never* random .. I believe this is a poor decision. Your voice has been heard,

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 12:52, Steffan Karger wrote: > Hi, > > On 6 April 2017 at 12:26, David Sommerseth > wrote: >> On 06/04/17 11:45, Simon Matter wrote: >>> I like Arne's and David's suggestion - the existing option "as is" will enable X% jitter, while a

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Hi, On 6 April 2017 at 12:26, David Sommerseth wrote: > On 06/04/17 11:45, Simon Matter wrote: >> >>> I like Arne's and David's suggestion - the existing option "as is" will >>> enable X% jitter, while a second parameter can specify a more specific >>> range.

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 11:26, David Sommerseth wrote: > With the 1 hour default, not setting --reneg-sec gives a time window of > 6 minutes with 10%. That is a reasonable default unless explicitly > overridden by either --reneg-sec 3600 (no randomness) or --reneg-sec > 3000 4000 (with a 1000 seconds

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 11:45, Simon Matter wrote: > >> I like Arne's and David's suggestion - the existing option "as is" will >> enable X% jitter, while a second parameter can specify a more specific >> range. Following Arne's argument about users and percent math, it might >> indeed be better to have

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 06:08, Илья Шипицин wrote: > > > 2017-04-06 3:26 GMT+05:00 David Sommerseth > >: > > On 05/04/17 23:43, Илья Шипицин wrote: > > hello! > > > > just curious how renegotiation is handled in

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> Hi, > > On Wed, Apr 05, 2017 at 07:00:54PM +0100, debbie10t wrote: >> > Optional option does not mean that it is disabled by default. If you >> > don't the randomness you would need to do: >> > >> > reneg-sec 3600 3600 >> > >> > the optional argument also allows it to fine tune it to your needs.

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 06/04/17 00:30, debbie10t wrote: > > One final clarification: > > As a user, I would prefer to see an early 2fa re-connect than one in > the final few minutes, especially if I am already accustomed to a one > hour cut off. Such that, I do 45 mins of work and get cut off is more > annoying

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 23:57, debbie10t wrote: > Hi, > > On 05/04/17 22:39, David Sommerseth wrote: >> On 05/04/17 23:13, debbie10t wrote: >>> I don't believe there is any need to specify "max" because that would be >>> --reneg-sec as is. Otherwise specify a smaller or larger --reneg-sec >> >> I think you,

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

One final clarification: As a user, I would prefer to see an early 2fa re-connect than one in the final few minutes, especially if I am already accustomed to a one hour cut off. Such that, I do 45 mins of work and get cut off is more annoying then doing 15 mins and get cut off. Regards

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 23:43, Илья Шипицин wrote: > hello! > > just curious how renegotiation is handled in "https" ? > is it "an abbrevated ssl handshake" (RFC 2246) or ... ? The HTTPS and OpenVPN protocol is not comparable in this regard at all. AFAIR, OpenVPN does not make use of the TLS renegotiation

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 23:01, debbie10t wrote: > > > On 05/04/17 22:57, debbie10t wrote: >> Hi, >> >> On 05/04/17 22:39, David Sommerseth wrote: >>> On 05/04/17 23:13, debbie10t wrote: I don't believe there is any need to specify "max" because that would be --reneg-sec as is. Otherwise

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 22:57, debbie10t wrote: > Hi, > > On 05/04/17 22:39, David Sommerseth wrote: >> On 05/04/17 23:13, debbie10t wrote: >>> I don't believe there is any need to specify "max" because that would be >>> --reneg-sec as is. Otherwise specify a smaller or larger --reneg-sec >> >> I think you,

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Hi, On 05/04/17 22:39, David Sommerseth wrote: > On 05/04/17 23:13, debbie10t wrote: >> I don't believe there is any need to specify "max" because that would be >> --reneg-sec as is. Otherwise specify a smaller or larger --reneg-sec > > I think you, probably without being aware of it, are

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

hello! just curious how renegotiation is handled in "https" ? is it "an abbrevated ssl handshake" (RFC 2246) or ... ? 2017-04-06 2:39 GMT+05:00 David Sommerseth < open...@sf.lists.topphemmelig.net>: > On 05/04/17 23:13, debbie10t wrote: > > I don't believe there is any need to specify "max"

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 23:13, debbie10t wrote: > I don't believe there is any need to specify "max" because that would be > --reneg-sec as is. Otherwise specify a smaller or larger --reneg-sec I think you, probably without being aware of it, are agreeing to what the current proposal is: --reneg-sec max

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 22:42, Gert Doering wrote: > Following Arne's argument about users and percent math, it might > indeed be better to have "min max" here ("3500 3600"), because that is > really easy to understand and explain. I agree to Arne's approach, using only min/max values instead of a

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 21:42, Gert Doering wrote: > Hi, > > On Wed, Apr 05, 2017 at 07:00:54PM +0100, debbie10t wrote: >>> Optional option does not mean that it is disabled by default. If you >>> don't the randomness you would need to do: >>> >>> reneg-sec 3600 3600 >>> >>> the optional argument also

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Hi, On Wed, Apr 05, 2017 at 07:00:54PM +0100, debbie10t wrote: > > Optional option does not mean that it is disabled by default. If you > > don't the randomness you would need to do: > > > > reneg-sec 3600 3600 > > > > the optional argument also allows it to fine tune it to your needs. > > As

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 18:13, Arne Schwabe wrote: > >>> >>> Where RAND indicates that the first-run timer should run from a random >>> integer from 1 upto the value of --reneg-sec. RAND does not require a >>> user to specify an amount. >> >> But then, why not just do it always and forget about the

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

>> >> Where RAND indicates that the first-run timer should run from a random >> integer from 1 upto the value of --reneg-sec. RAND does not require a >> user to specify an amount. > > But then, why not just do it always and forget about the additional option? > Optional option does not mean

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> > > On 05/04/17 17:13, debbie10t wrote: >> >> >> On 05/04/17 16:58, David Sommerseth wrote: >>> On 05/04/17 17:53, David Sommerseth wrote: On 05/04/17 16:42, debbie10t wrote: > >> > > A different approach could be like so: > > --reneg-sec 3600 >

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 17:13, debbie10t wrote: > > > On 05/04/17 16:58, David Sommerseth wrote: >> On 05/04/17 17:53, David Sommerseth wrote: >>> On 05/04/17 16:42, debbie10t wrote: > A different approach could be like so: --reneg-sec 3600 --reneg-sec-1sttime-rand 1|0 (The

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

would probably be a good idea to enable that. > As I understand it client and server have 60 min. by default. Whatever is > configured, the smaller value wins. That means, bad clients can set their > reneg-sec to very low values and trash the server on the other end. From > the server side this

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 17:53, David Sommerseth wrote: > On 05/04/17 16:42, debbie10t wrote: >> >> >> On 05/04/17 05:34, Simon Matter wrote: > Hi, > > On Tue, Apr 04, 2017 at 08:29:49AM +0200, Simon Matter wrote: >> Interesting to see that there is zero interest in this patch here. > >

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 16:42, debbie10t wrote: > > > On 05/04/17 05:34, Simon Matter wrote: Hi, On Tue, Apr 04, 2017 at 08:29:49AM +0200, Simon Matter wrote: > Interesting to see that there is zero interest in this patch here. This is a misinterpretation. >>> >>> Hi Gert,

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 05:34, Simon Matter wrote: >>> Hi, >>> >>> On Tue, Apr 04, 2017 at 08:29:49AM +0200, Simon Matter wrote: Interesting to see that there is zero interest in this patch here. >>> >>> This is a misinterpretation. >>> >> >> Hi Gert, >> >> Thanks for the explanation, I'll be patient

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 14:36, Simon Matter wrote: >> On 05/04/17 09:31, Steffan Karger wrote: >>> Hi, >>> >>> On 05-04-17 08:57, Gert Doering wrote: On Wed, Apr 05, 2017 at 06:34:34AM +0200, Simon Matter wrote: > I've attached v2 now which works without any config change: [..] > I prefer

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> On 05/04/17 09:31, Steffan Karger wrote: >> Hi, >> >> On 05-04-17 08:57, Gert Doering wrote: >>> On Wed, Apr 05, 2017 at 06:34:34AM +0200, Simon Matter wrote: I've attached v2 now which works without any config change: >>> [..] I prefer this version as it allows everybody to profit

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

On 05/04/17 09:31, Steffan Karger wrote: > Hi, > > On 05-04-17 08:57, Gert Doering wrote: >> On Wed, Apr 05, 2017 at 06:34:34AM +0200, Simon Matter wrote: >>> I've attached v2 now which works without any config change: >> [..] >>> I prefer this version as it allows everybody to profit from it

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Hi, On 05-04-17 08:57, Gert Doering wrote: > On Wed, Apr 05, 2017 at 06:34:34AM +0200, Simon Matter wrote: >> I've attached v2 now which works without any config change: > [..] >> I prefer this version as it allows everybody to profit from it without >> touching any config files. > > I can see

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

Hi, On Wed, Apr 05, 2017 at 06:34:34AM +0200, Simon Matter wrote: > I've attached v2 now which works without any config change: [..] > I prefer this version as it allows everybody to profit from it without > touching any config files. I can see the reasoning, but 25% feels a bit on the high side

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

>> Hi, >> >> On Tue, Apr 04, 2017 at 08:29:49AM +0200, Simon Matter wrote: >>> Interesting to see that there is zero interest in this patch here. >> >> This is a misinterpretation. >> > > Hi Gert, > > Thanks for the explanation, I'll be patient then :) > > If it's preferred for the patch to keep