From patchwork Wed Jul 15 12:30:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 1263 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id cKJ+NyeED1+BTAAAIUCqbw for ; Wed, 15 Jul 2020 18:33:11 -0400 Received: from proxy10.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id OB/YNCeED1+SPwAAovjBpQ ; Wed, 15 Jul 2020 18:33:11 -0400 Received: from smtp22.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3b.rsapps.net with LMTP id uMIALyeED1/XYQAA/F5p9A ; Wed, 15 Jul 2020 18:33:11 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=openvpn.net X-Suspicious-Flag: YES X-Classification-ID: 29cb4d74-c6eb-11ea-9895-52540041dff8-1-1 Received: from [216.105.38.7] ([216.105.38.7:41688] helo=lists.sourceforge.net) by smtp22.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 44/52-08137-7248F0F5; Wed, 15 Jul 2020 18:33:11 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jvpww-0001cd-NY; Wed, 15 Jul 2020 22:32:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvpwu-0001cJ-W4 for openvpn-devel@lists.sourceforge.net; Wed, 15 Jul 2020 22:32:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=dBc3oGYvPQCEIO8YZcMjZIAp01bV5P40sHjnDmVRLts=; b=foBpPzTelDmPvDMeSKnPm4GD4U vk/XHAzPHBdUJFJ10wf72s2ZZvqk5ixZMcuC2CzWEVV6GXbEnBMTraZEPcEN7Sdtyd83s0S2N6K2s VU1K3+bUa6W0U/ZpstfYVSo5fT/bqD9iKEgB/b8OdI0PZfmCsOz76Mki9Ld9rZFUIqtI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=dBc3oGYvPQCEIO8YZcMjZIAp01bV5P40sHjnDmVRLts=; b=WHBDbzdRLx22ANmobTx35Nf9mI laQuhVTo1AxsTznv9WHpzi9EzEamsk2byRV4k2q3GWjbq2AUtW6GEwY3/e4muycTCJzI7sntsX/Lc 8ef4AwmuDPnAaoHoROrgKrSatH9IljWrKKY7SFDUUmQrgoGGaHS14ivyoUJrfxPYVlt8=; Received: from mx0.basenordic.cloud ([185.212.44.139]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jvpwt-0021IG-Hq for openvpn-devel@lists.sourceforge.net; Wed, 15 Jul 2020 22:32:24 +0000 Received: from localhost (unknown [IPv6:::1]) by mx0.basenordic.cloud (Postfix) with ESMTP id 2857382F9FB for ; Wed, 15 Jul 2020 22:32:10 +0000 (UTC) Received: from mx0.basenordic.cloud ([IPv6:::1]) by localhost (winterfell.topphemmelig.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id hebD2r0mylRg for ; Thu, 16 Jul 2020 00:32:08 +0200 (CEST) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx0.basenordic.cloud (Postfix) with ESMTPS id 61C3C8608E7 for ; Thu, 16 Jul 2020 00:31:57 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 84F8F400F0CC for ; Thu, 16 Jul 2020 00:31:55 +0200 (CEST) Received: from zimbra.sommerseth.email ([127.0.0.1]) by localhost (zimbra.sommerseth.email [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id vC_bYFpGIA7I for ; Thu, 16 Jul 2020 00:31:55 +0200 (CEST) Received: from optimus.homebase.sommerseths.net (unknown [10.35.7.3]) by zimbra.sommerseth.email (Postfix) with ESMTPS id 79F27400F0DB for ; Thu, 16 Jul 2020 00:30:55 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Thu, 16 Jul 2020 00:30:10 +0200 Message-Id: <20200715223013.11726-14-davids@openvpn.net> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200715223013.11726-1-davids@openvpn.net> References: <20200715223013.11726-1-davids@openvpn.net> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1jvpwt-0021IG-Hq Subject: [Openvpn-devel] [PATCH 13/16] doc/man: Adopt compression documentation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Commit c67e93b25208be2 updated the man page in reagrds to new compression options and improving existing compression options. This adopts those changes into the .rst format. Signed-off-by: David Sommerseth --- doc/man-sections/protocol-options.rst | 52 ++++++++++++++++++++++----- 1 file changed, 43 insertions(+), 9 deletions(-) diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index a5a1253a..d7bcbb98 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -5,6 +5,31 @@ protocol. Many of these options also define the encryption options of the data channel in the OpenVPN wire protocol. These options must be configured in a compatible way between both the local and remote side. +--allow-compression mode + As described in the ``--compress`` option, compression is a potentially + dangerous option. This option allows controlling the behaviour of + OpenVPN when compression is used and allowed. + + Valid syntaxes: + :: + + allow-compression + allow-compression mode + + The ``mode`` argument can be one of the following values: + + :code:`asym` (default) + OpenVPN will only *decompress downlink packets* but *not compress + uplink packets*. This also allows migrating to disable compression + when changing both server and client configurations to remove + compression at the same time is not a feasible option. + + :code:`no` + OpenVPN will refuse any non-stub compression. + + :code:`yes` + OpenVPN will send and receive compressed packets. + --auth alg Authenticate data channel packets and (if enabled) ``tls-auth`` control channel packets with HMAC using message digest algorithm ``alg``. (The @@ -58,23 +83,32 @@ configured in a compatible way between both the local and remote side. not recommended. VPN tunnels which use compression are susceptible to the VORALCE attack vector. - The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`, or empty. + The ``algorithm`` parameter may be :code:`lzo`, :code:`lz4`, + :code:`lz4-v2`, :code:`stub`, :code:`stub-v2` or empty. LZO and LZ4 are different compression algorithms, with LZ4 generally offering the best performance with least CPU usage. - If the ``algorithm`` parameter is empty, compression will be turned off, - but the packet framing for compression will still be enabled, allowing a - different setting to be pushed later. + The :code:`lz4-v2` and :code:`stub-v2` variants implement a better + framing that does not add overhead when packets cannot be compressed. All + other variants always add one extra framing byte compared to no + compression framing. + + If the ``algorithm`` parameter is :code:`stub`, :code:`stub-v2` or empty, + compression will be turned off, but the packet framing for compression + will still be enabled, allowing a different setting to be pushed later. + Additionally, :code:`stub` and :code:`stub-v2` wil disable announcing + ``lzo`` and ``lz4`` compression support via *IV_* variables to the + server. ***Security Considerations*** Compression and encryption is a tricky combination. If an attacker knows - or is able to control (parts of) the plaintext of packets that contain + or is able to control (parts of) the plain-text of packets that contain secrets, the attacker might be able to extract the secret if compression - is enabled. See e.g. the CRIME and BREACH attacks on TLS which also - leverage compression to break encryption. If you are not entirely sure - that the above does not apply to your traffic, you are advised to - *not* enable compression. + is enabled. See e.g. the *CRIME* and *BREACH* attacks on TLS and + *VORACLE* on VPNs which also leverage to break encryption. If you are not + entirely sure that the above does not apply to your traffic, you are + advised to *not* enable compression. --comp-lzo mode **DEPRECATED** Enable LZO compression algorithm. Compression is