[GIT PULL V4] JNI bindings for libopenconnect

Woodhouse, David david.woodhouse at intel.com
Tue Jan 21 11:34:35 EST 2014


On Tue, 2014-01-21 at 08:02 -0800, Kevin Cernekee wrote:
> On Tue, Jan 21, 2014 at 2:47 AM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
> > I have not tried yet, but a question on that. On the CSTP reconnect is the
> > DTLS channel kept open or it is also re-opened? If it is kept opened then
> > the warnings you see are normal as ocserv handles the CSTP channel as
> > control and once discarded the DTLS channel is discarded as well.
> 
> The old behavior was to keep it open.  The new behavior is to
> close+reopen DTLS on CSTP reconnect.

Hm, is that necessary?

One of the reasons why a VPN should run over UDP instead of TCP is
because TCP connections stall when there's packet loss. So on a crappy
connection you *do* end up with CSTP reconnects due to aggressive DPD,
while the DTLS is still quite happily running.

I seem to recall that my testing, back when this was first implemented,
seemed to show that DTLS would happily keep going even while the CSTP
was reconnecting, with no loss of service. 

Hm, wait a minute... doesn't cstp_reconnect() block? In which case I
*must* have just made up that previous recollection? The DTLS connection
did continue to work, but perhaps openconnect never actually made *use*
of that to provide seamless service?

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6242 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140121/6a0706e5/attachment.bin>


More information about the openconnect-devel mailing list