[Openvpn-devel] man: Clarify IV_HWADDR

Message ID	20210709131330.140347-1-openvpn@sf.lists.topphemmelig.net
State	Superseded
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> From: David Sommerseth <openvpn@sf.lists.topphemmelig.net> To: openvpn-devel@lists.sourceforge.net Date: Fri, 9 Jul 2021 15:13:30 +0200 Message-Id: <20210709131330.140347-1-openvpn@sf.lists.topphemmelig.net> MIME-Version: 1.0 NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid Subject: [Openvpn-devel] [PATCH] man: Clarify IV_HWADDR Precedence: list Cc: David Sommerseth <davids@openvpn.net> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel] man: Clarify IV_HWADDR \| expand [Openvpn-devel] man: Clarify IV_HWADDR

Message ID

20210709131330.140347-1-openvpn@sf.lists.topphemmelig.net

State

Superseded

Headers

From: David Sommerseth <openvpn@sf.lists.topphemmelig.net>
To: openvpn-devel@lists.sourceforge.net
Date: Fri,  9 Jul 2021 15:13:30 +0200
Message-Id: <20210709131330.140347-1-openvpn@sf.lists.topphemmelig.net>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH] man: Clarify IV_HWADDR
Precedence: list
Cc: David Sommerseth <davids@openvpn.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel] man: Clarify IV_HWADDR | expand

Commit Message

David Sommerseth July 9, 2021, 3:13 a.m. UTC

From: David Sommerseth <davids@openvpn.net>

The IV_HWADDR description was only partially correct, as there are more
implementations using other values than the MAC address of the default
gateway.

The intention of this value is to provide a unique identifier of the
client and on some platforms this is not possible to retrieve other than
to generate this information.

The 64 bytes limitation is an arbitrary value, it is not enforced by
OpenVPN 2.x.  But it was considered a good idea to at least have some
reasonable upper limit of how long this string can be, at least for
those implementing support for this information.

Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 doc/man-sections/server-options.rst | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Comments

Gert Doering July 9, 2021, 3:41 a.m. UTC | #1

Hi,

On Fri, Jul 09, 2021 at 03:13:30PM +0200, David Sommerseth wrote:
> From: David Sommerseth <davids@openvpn.net>
> 
> The IV_HWADDR description was only partially correct, as there are more
> implementations using other values than the MAC address of the default
> gateway.

Feature ACK, but this text is actually still factually wrong:

> +  :code:`IV_HWADDR=<string>`
> +        This is intended to be a unique and persistent ID of the client.
> +        The string value can be any readable ASCII string up to 64 bytes.
> +        OpenVPN 2.x and some other implementations use the MAC address of
> +        the client's default gateway. If this string is generated by the

It was never "the MAC address of the default gateway" (which would be
"the plastic router in the corner", and specifically depending on "which
network is this client in, right now?").

It is the MAC address of the *client* interface that is used to reach
the default gateway.

So maybe a better wording would be

"... use the MAC address of the client's interface used to reach the
default gateway."

(it's the client's interface MAC, not the gateway's MAC).

gert

diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index 047f2270..b026ac7b 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -467,8 +467,13 @@  fast hardware. SSL/TLS authentication must be used in this mode.
   When ``--push-peer-info`` is enabled the additional information consists
   of the following data:
 
-  :code:`IV_HWADDR=<mac address>`
-        The MAC address of clients default gateway
+  :code:`IV_HWADDR=<string>`
+        This is intended to be a unique and persistent ID of the client.
+        The string value can be any readable ASCII string up to 64 bytes.
+        OpenVPN 2.x and some other implementations use the MAC address of
+        the client's default gateway. If this string is generated by the
+        client, it should be consistent and preserved across independent
+        session and preferably re-installations and upgrades.
 
   :code:`IV_SSL=<version string>`
         The ssl version used by the client, e.g.

[Openvpn-devel] man: Clarify IV_HWADDR

Commit Message

Comments

Patch