Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option

Thu, 08 Apr 2021 08:53:57 -0700 

Hi,

On Thu, Apr 08, 2021 at 05:30:52PM +0200, Jan Just Keijser wrote:
> I don't have any evidence with 2.5 right now but this is just a matter 
> of use/principle to me: I can very well see that I would like to have a 
> setup *without* NCP as I simply do not need it (e.g. my cipher is 
> hardwired to aes-256-gcm)  and in that case I don't *want* NCP to ensure 
> my setup is 100% predictable.

By setting "--data-ciphers AES-256-GCM" on the client side, you achieve
a 100% predictable outcome.  No other cipher will be offered or accepted.

> Disabling this option means you give me less control over the setup and 
> I don't like that, thus Feature-NAK.

Removing that option means "less confusing code variants that can lead
to 'it works with NCP but not with NCP disabled'".

Since I test all these variants, and find the confusing corner cases, it
would be good to have less code paths throughout OpenVPN, especially 
in the server option negotiation and key setup phases.


> I'd say that removing the ability to disable NCP  can happen *only* when 
> all negative side-effects of enabling it have been mitigated fully.  On 
> a slow link the NCP overhead can be quite disastrous and not just during 
> connection setup, but during the *whole* session. To me, yet another 
> reason for Feature-NAK

The overhead of NCP is roughly "some 100 bytes sent extra from client to
server in the TLS handshake phase" (to announce the acceptable ciphers)
and "cipher xxx" in the PUSH_REPLY.

There is no overhead in the data phase.

Please explain how this can be "quite disastrous"?


(Of course, if NCP negotiates a cipher with more overhead than you'd
like to use, that would be "more overhead" - but this is fully under 
the client's control with --data-ciphers.  It even works with "none",
provided both client and server permit this)

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel























					Reply via email to