On 08/06/2014 02:38 PM, David Sommerseth wrote:
> On 06/08/14 15:20, Gert Doering wrote:
> 
>>> What is CPU intensive is when asymmetric encryption comes into
>>> play, with the key exchanges and other negotiations etc.
> 
>> slow, but used much more seldom...  assuming VPN clients that stay
>>  connected for a reasonable amount of time, and transfer "enough"
>> data.
> 
> True ... until you restart a busy server.  Then you'll get a busy
> peak, and unless --reneg-* options is disabled, you'll have these
> peaks fairly regularly.

I haven't look at the code but I wonder if there is a random margin time
added or substracted to reneg-sec to avoid all clients renegotiating at
the exact same time in that specific scenario?

This feature is well explained here [1] (IPsec implementation), see
"rekeyfuzz".

> Which actually makes me ponder even more, regarding the SSL state
> manager.  If OpenVPN is killed with a "restart" signal, could it
> encrypt the saved state and dump to file (keying material could be the
> server --key, or another explicit key for this feature).  When it is
> started again, it will read and decrypt this file and continue without
> re-init of all SSL clients .... but it may actually fail, especially
> for TCP, depending on if there are any tight relations to the client
> ports.

I like that idea and maybe the TCP case could be addressed by TCP repair
[2] on Linux.

Regards,
Simon

1: https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
2: https://lwn.net/Articles/495304/

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to