On 05/04/17 17:53, David Sommerseth wrote: > On 05/04/17 16:42, debbie10t wrote: >> >> >> On 05/04/17 05:34, Simon Matter wrote: >>>>> Hi, >>>>> >>>>> On Tue, Apr 04, 2017 at 08:29:49AM +0200, Simon Matter wrote: >>>>>> Interesting to see that there is zero interest in this patch here. >>>>> >>>>> This is a misinterpretation. >>>>> >>>> >>>> Hi Gert, >>>> >>>> Thanks for the explanation, I'll be patient then :) >>>> >>>> If it's preferred for the patch to keep it even simpler and compatible the >>>> current configs, it could be broken down to something like this in init.c: >>> >>> I've attached v2 now which works without any config change: >>> >>> --reneg-sec n >>> Renegotiate data channel key after n seconds (default=3600). >>> >>> Note that the effective value used here is a per session pseudo- >>> randomized 25% of n deducted from n. With the default value of >>> 3600 this results in an effective per session value in the range >>> of 2701 ... 3600 seconds. >>> >> >> >> A different approach could be like so: >> >> --reneg-sec 3600 >> --reneg-sec-1sttime-rand 1|0 (The name here for detail) > > Too complicated ;-) > > --reneg-sec # 60 minutes, with X % in randomness > --reneg-sec 1800 # 30 minutes, with X % in randomness > (X is what we figure is reasonable by default; between 10-25%) > > --reneg-sec 3600 30 # 60 minutes, 30% randomness > --reneg-sec 1800 0 # 30 minutes, no randomness > > This won't break any configurations and gives full flexibility without > adding new options (which we really try to avoid).
Oh, and in regards to the first-time/non-first-time .... if we decide for such flexibility, that can be a flag after the randomness. For example --reneg-sec 3600 12 first-only I am far from convinced if that should be configurable or not. But still, this approach is still far better than introducing new options. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
