Attention is currently required from: ralf_lici. plaisthos has posted comments on this change by ralf_lici. ( http://gerrit.openvpn.net/c/openvpn/+/1479?usp=email )
Change subject: dco: ignore key transition window logic ...................................................................... Patch Set 1: Code-Review-2 (1 comment) Patchset: PS1: >Although the DCO part > of this mechanism is set up in userspace, none of the drivers actually >implements it in the kernel. We implement this with secondary and primary key for the kernel as well. OpenVPN assume that the primary key is always used for encryption and that the secondary key can be used for decryption. Currently dco_update_keys also installs the new negotiated key first as secondary key and then only when it becomes the primary key we call dco_swap_keys. Which we do after the transition period. So we basically have this transition period in user space. Which part of that is not implemented in kernel space? Is secondary ignored or what? The commit is missing what part exactly is not implemented in the DCO drivers here. If you ignore the period and switch to the new key as soon as you get it, you get packet loss as there is no way around a packet loss unless you have a transition period where both keys are active for decryption. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1479?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3d506725e69c09a9c77d6a9ba71a00e112e7abb6 Gerrit-Change-Number: 1479 Gerrit-PatchSet: 1 Gerrit-Owner: ralf_lici <[email protected]> Gerrit-Reviewer: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]> Gerrit-Attention: ralf_lici <[email protected]> Gerrit-Comment-Date: Mon, 19 Jan 2026 19:13:22 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
