I've been using SPTPS (a.k.a ExperimentalProtocol) for a while now, but
I've only recently started looking into the details of the protocol
itself. I have some questions about the design:
- I am not sure what the thread model for SPTPS is when compared with
the legacy protocol. SPTPS is vastly more complex than the legacy
protocol (it adds a whole new handshake mechanism), and it's not clear
to me why it needs to be that complicated. According to the Security
page, the weakness of the legacy protocol are "Predictable IV" and
"Truncated MAC". I'm guessing SPTPS is not designed solely to address
these (relatively simple) issues.
- The way SPTPS is currently implemented in tinc, sending packets over
TCP is extremely inefficient because instead of using PACKET messages
like the legacy protocol does, it encapsulates the packet in a REQ_KEY
message (for backwards compatibility reasons, I guess). The problem is,
the packet contents are encoded using... base64. Now, I know that TCP
over TCP is not supposed to be very efficient in the first place, but a
40% encoding overhead seems excessive to say the least. More generally,
it's not clear to me why SPTPS even needs to be used to send packets
over metaconnections which are supposed to be trusted. Another
performance issue with SPTPS over TCP is that it requires an handshake
(which adds to initial communication latency), while the legacy PACKET
mechanism doesn't.
Thanks for taking the time to answer these questions.
--
Etienne Dechamps
_______________________________________________
tinc mailing list
[email protected]
http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc
