On 05/04/17 23:57, debbie10t wrote: > Hi, > > On 05/04/17 22:39, David Sommerseth wrote: >> On 05/04/17 23:13, debbie10t wrote: >>> I don't believe there is any need to specify "max" because that would be >>> --reneg-sec as is. Otherwise specify a smaller or larger --reneg-sec >> >> I think you, probably without being aware of it, are agreeing to what >> the current proposal is: >> >> --reneg-sec max >> A renegotiation happens within 'max' seconds, but with a 10%-ish >> randomness > > >> --reneg-sec min max >> A renegotiation happens within 'min' and 'max' seconds, fully >> controllable >> >> So using --reneg-sec 3600 3600, effectively removes the randomness. > > I understand the proposed methods .. > > Of the two above, I would be inclined toward option 2. > eg: (for me) --reneg-sec 0 3600 is ideal.
We are not going to change the behaviour much of what is already available today. So if we end up at 10% ... the new default will be: --reneg-sec 3240 3600 If you you do --reneg-sec 1800, that will effectively become: --reneg-sec 1620 1800 If you want to have a larger time window, then you do what you say above. Your "0 3600" will not become any default value. But you may choose to use those values if you want to. The key point is that --reneg-sec 1800 will work; thus not breaking any configurations - this we will not deviate away from. This syntax just calculates the "min" value automatically for you. If you provide both "min" and "max" values, that's what ends up being used. Currently, I don't see the need to make it more complicated than this. And I don't think Gert nor Arne does either. What will need to be discussed though is if this randomness should only happen on the first or on all renegotiations; and if that should be configurable or not. And we need a discussion around if we will allow this to be pushable or not. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
