On Thu, Apr 8, 2021 at 10:10 AM David Woodhouse <[email protected]> wrote: > On Thu, 2021-04-08 at 09:42 -0700, Daniel Lenski wrote: > > On Thu, Apr 8, 2021 at 7:37 AM David Woodhouse <[email protected]> wrote: > > > If we do need a header larger than 4 bytes, then we are forced to do > > > things properly by adding support in the kernel driver instead of just > > > abusing the existing header while we know the kernel isn't looking at > > > it. > > > > This is probably too much "inside baseball" for the non-(OpenConnect > > developers) here, but I *have* confirmed that the PPP-over-DTLS > > encapsulation is identical to the PPP-over-TLS encapsulation for the 2 > > PPP-based protocols that we support already. Both F5 and Fortinet > > essentially opted for the thinnest veneer of UDP-ization possible for > > their protocols. > > Ok, so that's the PPP header plus either 6 bytes for Fortinet or 4 > bytes for F5? The important part for the purpose of this conversation > is "more than four".
Correct. We need >4 bytes to support PPP-over-DTLS headers without copying. And we will undoubtedly find more examples in the ongoing quest to make OpenConnect serve as The One Client For Your Crappy Proprietary Corporate VPN to Rule Them All.
