Patch to apply QoS for DTLS
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Wed Aug 12 05:10:07 PDT 2015
On Wed, Aug 12, 2015 at 1:53 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> > I've created this little patch that copies the original ToS field
>> to
>> > the encapsulated UDP packets. This helps with VoIP applications to
>> > mark the encrypted packets accordingly. Works for me, tested using
>> > DTLS against ASA headends. YMMV etc.
>> That can be seen as a vulnerability too. There will be more
>> information available in the wire for an adversary. Not only the size
>> of the packets, but also their type of service. Wouldn't it be better
>> if that was set using an option?
> It's not entirely clear that the attacker couldn't *already* have
> worked out that you were using VoIP. I'm not sure there's a real
> vulnerability here, but I have no objection to making it optional. I
> might prefer it default-on though.
Indeed it is trivial to detect voip. The fixed size of the packets and
the 20ms (or 40ms)
transmission rates allow for a very easy distinguisher even over
encrypted packets. I'm
mostly worried for non-voip protocols. E.g., could someone distinguish torrent
downloading over the vpn vs normal http?
> However, it *definitely* needs to be made dependant on a configure-time
> check for IP_TOS (and IPV6_TCLASS), so it doesn't break on lots of non
> -Linux systems. And it also needs to stop assuming that *everyone* is
> stuck in the 20th century and using only Legacy IP. It needs to cope
> with the case where IPv6 is being transported within the tunnel, *and*
> the case where the connection to the VPN server is IPv6. And both.
> Other than that though, it does look like a good idea.
I agree with the good idea. I'm not sure whether having it on by
default is good though.
regards,
Nikos
More information about the openconnect-devel
mailing list