It seems this thread was marked as spam and caught in filters. I have some reading to do as 5 emails are "new to me". Will catch up and reply back. Thanks for the replies and help.
Brendan On Wed, Sep 1, 2021, 7:42 AM brendan kearney <[email protected]> wrote: > I commented out the compress directive on both server and client, and > restarted services. The same behavior persists. > > On Wed, Sep 1, 2021, 4:49 AM Paul Wouters <[email protected]> wrote: > >> On Wed, 1 Sep 2021, [email protected] wrote: >> >> >> Don't use compress=yes >> > >> > ... why (just being curious)? Is the compression not good enough to >> achieve >> > a real gain (even on low bandwidth lines)? Security issues? Misbehaved >> > implementation? Something else? And is it a bad idea only on the server >> > side, or did you just omit your comment in the client config? >> >> There is always a security risk on using compressing with encryption, as >> it can lead to oracle attacks. It also complicates the IPsec state, by >> adding a compress state on top of it, and then it compresses but if >> compress doesnt produce shorter result, uses the uncompressed version. >> So for example "ipsec trafficstatus" would have two entries, one for >> compressed and one for without. >> >> Hardly anyone uses compression ever. >> >> Also, we have a leak in that we don't delete the kernel compress state, >> but that is fixable :P >> >> Paul >> _______________________________________________ >> Swan mailing list >> [email protected] >> https://lists.libreswan.org/mailman/listinfo/swan >> >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
