Re: [Openvpn-devel] [PATCH v11] Implement support for larger packet counter sizes

Tue, 10 Sep 2024 13:51:54 -0700 

Hi,
TL;DR: I don't think this should be merged yet. My primary concern is that we don't have any means to limit key usage to a safe value. I raised this concern back in December 2023: 

https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27791.html


If we allow for packet counter of 64 bits, we would allow users to 
exceed the safe limits determined for AES-GCM in the context of TLS. As 
far as I can tell, we don't have a reason to allow for looser limits. So 
before this patch goes in, I really think we should discuss what those 
limits should be for OpenVPN *and* enforce them.



This might have been overlooked, because attention was drawn to my 
proposal to make the upper bits "implicit" in the same mail.


On 10-09-2024 18:34, Gert Doering wrote:

From: Arne Schwabe <a...@rfc2549.org>

With DCO and possible future hardware assisted OpenVPN acceleration we
are approaching the point where 32 bit IVs are not cutting it any more.


s/IVs/packet counters/. See my mail from Dec 2023.


To illustrate the problem, some back of the envelope math here:

If we want to keep the current 3600s renegotiation interval and have
a safety margin of 25% (when we trigger renegotiation) we have about
3.2 million packets (2*32 * 0.7) to work with. That translates to
about 835k packets per second.

With 1300 Byte packets that translates into 8-9 Gbit/s. That is far
from unrealistic any more. Current DCO implementations are already in
spitting distance to that or might even reach (for a single client
connection) that if you have extremely fast
single core performance CPU.

This introduces the 64bit packet counters for AEAD data channel
ciphers in TLS mode ciphers. No effort has been made to support
larger packet counters in any other scenario since those are all legacy.



Note that for AES-GCM, assuming limits similar to TLS, we likely won't 
be able to postpone key refresh for much longer than we currently do. 
For ChaCha-Poly we can, because of the larger auth tag.



So if we want to improve things for AES-GCM, we probably need other 
optimizations. I have some ideas, but was hoping to do some research and 
a write-up during the train ride to the hackathon, so we could discuss 
it further in Karlsruhe.


-Steffan


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to