On Wed, 1 Sep 2021, [email protected] wrote:
Don't use compress=yes
... why (just being curious)? Is the compression not good enough to achieve
a real gain (even on low bandwidth lines)? Security issues? Misbehaved
implementation? Something else? And is it a bad idea only on the server
side, or did you just omit your comment in the client config?
There is always a security risk on using compressing with encryption, as
it can lead to oracle attacks. It also complicates the IPsec state, by
adding a compress state on top of it, and then it compresses but if
compress doesnt produce shorter result, uses the uncompressed version.
So for example "ipsec trafficstatus" would have two entries, one for
compressed and one for without.
Hardly anyone uses compression ever.
Also, we have a leak in that we don't delete the kernel compress state,
but that is fixable :P
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
