On Wed, 2015-08-12 at 13:45 +0200, Nikos Mavrogiannopoulos wrote: > On Wed, Aug 12, 2015 at 1:09 PM, Ralph Schmieder > <ralph.schmieder at gmail.com> wrote: > > I've created this little patch that copies the original ToS field > to > > the encapsulated UDP packets. This helps with VoIP applications to > > mark the encrypted packets accordingly. Works for me, tested using > > DTLS against ASA headends. YMMV etc. > > That can be seen as a vulnerability too. There will be more > information available in the wire for an adversary. Not only the size > of the packets, but also their type of service. Wouldn't it be better > if that was set using an option? It's not entirely clear that the attacker couldn't *already* have worked out that you were using VoIP. I'm not sure there's a real vulnerability here, but I have no objection to making it optional. I might prefer it default-on though. However, it *definitely* needs to be made dependant on a configure-time check for IP_TOS (and IPV6_TCLASS), so it doesn't break on lots of non -Linux systems. And it also needs to stop assuming that *everyone* is stuck in the 20th century and using only Legacy IP. It needs to cope with the case where IPv6 is being transported within the tunnel, *and* the case where the connection to the VPN server is IPv6. And both. Other than that though, it does look like a good idea. Thanks Ralph. -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150812/15b237ef/attachment.bin>
