Hi Pieter,
On 07/11/18 16:11, Pieter Hulshoff wrote:
Thank you for your answers.
2018-11-07 15:50 GMT+01:00 Jan Just Keijser <janj...@nikhef.nl
<mailto:janj...@nikhef.nl>>:
In short:
- in CBC+SHA mode (iv + cipher + tag + hmac) = (16 + 16 + 0 +
32) = 64
- in GCM mode (iv + cipher + tag + hmac) = (12 + 16 + 16 + 0) = 44
This is a bit of a surprise. I was under the impression that the HMAC
key data part of the IV was not transmitted over the line, and that
the PACKET-ID forms the other 4 bytes of the IV (and is transmitted
only once over the line). As such, my view was:
AES-CBC: 20 (IP) + 8 (UDP) + 1 (OPCODE) + 3 (PEER-ID) + 16 (IV) + 32
(HMAC) + 4 (PACKET-ID) + 16 (max padding) = 100 bytes overhead.
AES-GCM: 20 (IP) + 8 (UDP) + 1 (OPCODE) + 3 (PEER-ID) + 4 (IV =
PACKET-ID) + 16 (TAG) = 52 bytes overhead.
My remaining question was more in regards to the 8 byte HMAC key
section of the IV (which I believe is not transmitted over the line).
Where does it come from? Is it a sub section of the 32 byte HMAC key
exchanged during (re-)keying? If so, which sub section? Is it perhaps
a hash/KDF result of the 32 byte HMAC key? Is the key exchange changed
to only send an 8 byte HMAC key in stead?
I cannot tell if what I am seeing is correct, but I've regenerated the
MTU adjustments from the source code and from playing with some of the
cipher/auth parameters:
in CBC mode, "auth sha256" leads to an MTU adjustment of 68 bytes
leaving everything else constant, "auth sha512" leads to an MTU
adjustment of 68+32=100 bytes:
crypto_adjust_frame_parameters: packet_id_size= 4 bytes
crypto_adjust_frame_parameters: cipher_kt_iv_size = 16 bytes
crypto_adjust_frame_parameters: cipher_kt_block_size = 16 bytes
crypto_adjust_frame_parameters: hmac_length = 64 bytes
crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by
100 bytes
and
/usr/sbin/ip link set dev tun1 up mtu 1396
so I cannot tell whether the entire HMAC is transmitted over the wire
with every packet, but I *DO* see that OpenVPN subtracts another 32
bytes from the tun-mtu if I increase the HMAC size from SHA256 (32
bytes) to SHA512 (64 bytes).
Again, I am not saying that this is the correct behaviour, I am just
stating this is the *observed* behaviour.
Also note that this is NOT correct: 20 (IP) + 8 (UDP)
The MTU is NOT adjusted for the IP address inside or outside the tunnel:
the IP address inside the tunnel is part of the payload and the outside
IP address is not included in the MTU at all. It would mean that the MTU
is also dependent on whether IPv6 traffic is tunneled or not...
HTH,
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
