On Sat, 2015-10-17 at 17:34 +0200, Ralph Schmieder wrote: > > On Fri, 2015-08-14 at 18:59 +0200, Ralph Schmieder wrote: > > > Here we go again. Thanks for the comments, hope that I got > > > everything > > > right. For getting the TCLASS I could have used the word instead > > > of > > > the longword, too. But I guess there's no penalty for doing it > > > this > > > way, or is there? And it could use some testing beyond the simple > > > IPv4 in IPv4 use case of mine :) > > > > Thanks again for working on this, and apologies again for the > > delay. > > > > I'm still slightly nervous about the whole concept ? we are > > deliberately leaking information from the inner packet into the > > outer > > packet. So people will be able to *see* that we're doing VoIP > > traffic.... which in practice they could have inferred quite > > trivially > > from the packet size and regularity anyway. > > > > But now I look harder, I see that OpenVPN does already have this > > facility, at least for Legacy IP, with the --passtos option. It's > > disabled by default though, and I wonder if we should do the same. > > And > > make the option have the same name too? > > changed the option to --passtos and given the name it's therefore > also disabled by default This patch will currently modify the packets from the client to server only. Wouldn't it be more efficient if that included a header to server (e.g., X-DTLS-PassTOS = true), so that these packets include the tos as well? That of course would only work with ocserv. regards, Nikos
