Re: [Openvpn-users] VPN without encryption and auth

2017-08-07 Thread Yevgeny Kosarzhevsky 
Thank you Stefan for nice explanation.

On 6 August 2017 at 21:44, Steffan Karger  wrote:

> The average per-packet overhead of this solution is 20 (IP) + 8 (UDP) +
> 4 (average CBC padding for BF-CBC) or 8 (average CBC padding for AES) =
> 32 or 36 bytes.
>
> The average per-packet overhead of the AES-128-GCM/AES-256-GCM is 20
> (IP) + 8 (UDP) + 4 (GCM IV) + 16 (GCM tag) = 48 bytes.
>
> So the difference is just 12 or 16 bytes, but gives you a huge gain in
> security.  On top of that, GCM gives you a very nice hardware speedup on
> modern CPUs.
>

12 or 16 bytes is huge difference when we speak about original packet size
of 40-60 bytes.
Of course it's ok when packet size is large enough.

-- 
Regards,
Yevgeny
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VPN without encryption and auth

2017-08-06 Thread Steffan Karger 
Hi,

On 06-08-17 10:35, Yevgeny Kosarzhevsky wrote:
> OpenVPN without encryption or with weak encryption using '--auth none
> --no-iv --no-replay' is still great tool for tunneling traffic over UDP
> protocol. IPIP, L2TP or other known tunneling solutions may be blocked
> in certain countries. This is the reason I would vote to keep no-iv
> option in upcoming 2.5 release.

As of 2.4, OpenVPN supports the lower-overhead AES-GCM crypto modes.
Consider using these instead.

The average per-packet overhead of this solution is 20 (IP) + 8 (UDP) +
4 (average CBC padding for BF-CBC) or 8 (average CBC padding for AES) =
32 or 36 bytes.

The average per-packet overhead of the AES-128-GCM/AES-256-GCM is 20
(IP) + 8 (UDP) + 4 (GCM IV) + 16 (GCM tag) = 48 bytes.

So the difference is just 12 or 16 bytes, but gives you a huge gain in
security.  On top of that, GCM gives you a very nice hardware speedup on
modern CPUs.

(The old AES-CBC + HMAC-SHA1 would add up to 20 (IP) + 8 (UDP) + 16 (IV)
+ 4 (packet id) + 8 (avg. CBC padding) + 20 (HMAC-SHA1) = 76 bytes. Or
64 bytes for BF-CBC + HMAC-SHA1.)

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VPN without encryption and auth

2017-08-06 Thread David Sommerseth 
On 06/08/17 10:35, Yevgeny Kosarzhevsky wrote:
> OpenVPN without encryption or with weak encryption using '--auth none
> --no-iv --no-replay' is still great tool for tunneling traffic over UDP
> protocol.

Fair enough, I've learnt that there are some scenarios which can benefit
from this.

> IPIP, L2TP or other known tunneling solutions may be blocked
> in certain countries. This is the reason I would vote to keep no-iv
> option in upcoming 2.5 release.

The --no-iv option will be removed in v2.5.  That is not up for
discussion, and in accordance with recommendation by *two recent
security audits*.




Perhaps it is much more advisable to look at similar other projects to
do insecure virtual networking (unencrypted tunnels).  After all, the P
in VPN is about "Private" - and OpenVPN is first and foremost a VPN
solution - which depends heavily on the P.  We cannot sacrifice the
security aspect purely on the cost of convenience.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VPN without encryption and auth

2017-08-06 Thread Abi Askushi 
I would suggest to keep auth enabled, while having cipher none, to avoid
DoS attacks.

On Aug 6, 2017 11:35, "Yevgeny Kosarzhevsky"  wrote:

>
>
> On 2 August 2017 at 20:37, David Sommerseth  topphemmelig.net> wrote:
>
>>
>> Configuring OpenVPN without encryption is a peculiar use case I've
>> seldom quite understood, except if you're doing some research on various
>> crypto or network related scenarios.
>
>
> OpenVPN without encryption or with weak encryption using '--auth none
> --no-iv --no-replay' is still great tool for tunneling traffic over UDP
> protocol. IPIP, L2TP or other known tunneling solutions may be blocked in
> certain countries. This is the reason I would vote to keep no-iv option in
> upcoming 2.5 release.
>
> --
> Regards,
> Yevgeny
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VPN without encryption and auth

2017-08-06 Thread Yevgeny Kosarzhevsky 
On 2 August 2017 at 20:37, David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:

>
> Configuring OpenVPN without encryption is a peculiar use case I've
> seldom quite understood, except if you're doing some research on various
> crypto or network related scenarios.


OpenVPN without encryption or with weak encryption using '--auth none
--no-iv --no-replay' is still great tool for tunneling traffic over UDP
protocol. IPIP, L2TP or other known tunneling solutions may be blocked in
certain countries. This is the reason I would vote to keep no-iv option in
upcoming 2.5 release.

-- 
Regards,
Yevgeny
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VPN without encryption and auth

2017-08-05 Thread Abi Askushi 
Thanx all for your feedback.

On Aug 2, 2017 15:57, "Gert Doering"  wrote:

> Hi,
>
> On Wed, Aug 02, 2017 at 02:37:00PM +0200, David Sommerseth wrote:
> > To me, it sounds more like you just need an IPIP tunnel.  Something
> > which shouldn't be too hard to achieve with iproute2, which would then
> > give the least overhead.
>
> "ipip tunnel with user authentication, so the client side IP can vary
> without having to reconfigure anything" is, basically, what OpenVPN
> with --encryption none will give you...
>
> So I can see the use case :-) - people used to do that with PPTP or
> L2TP, and especially the latter is fairly complicated to set up under
> Linux.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>//
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025g...@net.informatik.tu-
> muenchen.de
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VPN without encryption and auth

2017-08-02 Thread Gert Doering 
Hi,

On Wed, Aug 02, 2017 at 02:37:00PM +0200, David Sommerseth wrote:
> To me, it sounds more like you just need an IPIP tunnel.  Something
> which shouldn't be too hard to achieve with iproute2, which would then
> give the least overhead.

"ipip tunnel with user authentication, so the client side IP can vary
without having to reconfigure anything" is, basically, what OpenVPN
with --encryption none will give you...

So I can see the use case :-) - people used to do that with PPTP or
L2TP, and especially the latter is fairly complicated to set up under
Linux.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VPN without encryption and auth

2017-08-02 Thread J.Witvliet 
Disabling that all?
You might  as wel simply use GRE,  ip4-in-ip4
See LARTC

From: Abi Askushi [mailto:rightkickt...@gmail.com]
Sent: woensdag 2 augustus 2017 13:42
To: openvpn users list (openvpn-users@lists.sourceforge.net)
Subject: [Openvpn-users] VPN without encryption and auth

Hi All,
I am considering to setup OpenVPN without encryption and packet authorization, 
as a way to lower the VPN overhead, by using the following directives:
cipher none
auth none
Apart from having the tunneled traffic on the clear, since now it will not be 
encrypted, what other implications are there for going like this?

My main concern for this setup is not the encryption, but low overhead.
FYI, when testing standard VPN setup, with AES-128-CBC cipher and auth enabled, 
+ lzo compression, I was receiving 14 - 18% VPN overhead on top the total udp 
traffic observed on WAN. When disabling encryption and auth, I received 6% 
overhead.
Thanx in advance for your feedback.


Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet 
de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u 
verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat 
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband 
houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are 
not the addressee or if this message was sent to you by mistake, you are 
requested to inform the sender and delete the message. The State accepts no 
liability for damage of any kind resulting from the risks inherent in the 
electronic transmission of messages.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VPN without encryption and auth

2017-08-02 Thread David Sommerseth 
On 02/08/17 13:41, Abi Askushi wrote:
> Hi All,
> 
> I am considering to setup OpenVPN without encryption and packet
> authorization, as a way to lower the VPN overhead, by using the
> following directives:
> 
> cipher none
> auth none
> 
> Apart from having the tunneled traffic on the clear, since now it will
> not be encrypted, what other implications are there for going like this?
> 
> My main concern for this setup is not the encryption, but low overhead.
> 
> FYI, when testing standard VPN setup, with AES-128-CBC cipher and auth
> enabled, + lzo compression, I was receiving 14 - 18% VPN overhead on top
> the total udp traffic observed on WAN. When disabling encryption and
> auth, I received 6% overhead.
> 
> Thanx in advance for your feedback.

Configuring OpenVPN without encryption is a peculiar use case I've
seldom quite understood, except if you're doing some research on various
crypto or network related scenarios.  For production need, there are far
better solutions.   It's almost like having an Aston Martin DB9 and not
wanting to turn on the engine because you want to let it roll downhill
on the road by itself.  Probably a fun experience, but is it useful?

To me, it sounds more like you just need an IPIP tunnel.  Something
which shouldn't be too hard to achieve with iproute2, which would then
give the least overhead.


--
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VPN without encryption and auth

2017-08-02 Thread Abi Askushi 
I first though that comes to my mind as a negative implication is DoS
attacks against the VPN server when packet authorization is disabled.


On Wed, Aug 2, 2017 at 2:41 PM, Abi Askushi  wrote:

> Hi All,
>
> I am considering to setup OpenVPN without encryption and packet
> authorization, as a way to lower the VPN overhead, by using the following
> directives:
>
> cipher none
> auth none
>
> Apart from having the tunneled traffic on the clear, since now it will not
> be encrypted, what other implications are there for going like this?
>
> My main concern for this setup is not the encryption, but low overhead.
>
> FYI, when testing standard VPN setup, with AES-128-CBC cipher and auth
> enabled, + lzo compression, I was receiving 14 - 18% VPN overhead on top
> the total udp traffic observed on WAN. When disabling encryption and auth,
> I received 6% overhead.
>
> Thanx in advance for your feedback.
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users