On Wed, Aug 12, 2015 at 1:53 PM, David Woodhouse <dwmw2 at infradead.org> wrote: >> > I've created this little patch that copies the original ToS field >> to >> > the encapsulated UDP packets. This helps with VoIP applications to >> > mark the encrypted packets accordingly. Works for me, tested using >> > DTLS against ASA headends. YMMV etc. >> That can be seen as a vulnerability too. There will be more >> information available in the wire for an adversary. Not only the size >> of the packets, but also their type of service. Wouldn't it be better >> if that was set using an option? > It's not entirely clear that the attacker couldn't *already* have > worked out that you were using VoIP. I'm not sure there's a real > vulnerability here, but I have no objection to making it optional. I > might prefer it default-on though. Indeed it is trivial to detect voip. The fixed size of the packets and the 20ms (or 40ms) transmission rates allow for a very easy distinguisher even over encrypted packets. I'm mostly worried for non-voip protocols. E.g., could someone distinguish torrent downloading over the vpn vs normal http? > However, it *definitely* needs to be made dependant on a configure-time > check for IP_TOS (and IPV6_TCLASS), so it doesn't break on lots of non > -Linux systems. And it also needs to stop assuming that *everyone* is > stuck in the 20th century and using only Legacy IP. It needs to cope > with the case where IPv6 is being transported within the tunnel, *and* > the case where the connection to the VPN server is IPv6. And both. > Other than that though, it does look like a good idea. I agree with the good idea. I'm not sure whether having it on by default is good though. regards, Nikos
