Patch to apply QoS for DTLS
David Woodhouse
dwmw2 at infradead.org
Wed Aug 12 04:53:43 PDT 2015
On Wed, 2015-08-12 at 13:45 +0200, Nikos Mavrogiannopoulos wrote:
> On Wed, Aug 12, 2015 at 1:09 PM, Ralph Schmieder
> <ralph.schmieder at gmail.com> wrote:
> > I've created this little patch that copies the original ToS field
> to
> > the encapsulated UDP packets. This helps with VoIP applications to
> > mark the encrypted packets accordingly. Works for me, tested using
> > DTLS against ASA headends. YMMV etc.
>
> That can be seen as a vulnerability too. There will be more
> information available in the wire for an adversary. Not only the size
> of the packets, but also their type of service. Wouldn't it be better
> if that was set using an option?
It's not entirely clear that the attacker couldn't *already* have
worked out that you were using VoIP. I'm not sure there's a real
vulnerability here, but I have no objection to making it optional. I
might prefer it default-on though.
However, it *definitely* needs to be made dependant on a configure-time
check for IP_TOS (and IPV6_TCLASS), so it doesn't break on lots of non
-Linux systems. And it also needs to stop assuming that *everyone* is
stuck in the 20th century and using only Legacy IP. It needs to cope
with the case where IPv6 is being transported within the tunnel, *and*
the case where the connection to the VPN server is IPv6. And both.
Other than that though, it does look like a good idea. Thanks Ralph.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150812/15b237ef/attachment.bin>
More information about the openconnect-devel
mailing list