Hi, Op vr 15 mrt. 2019 om 16:11 schreef <pippin...@protonmail.com>:
> "TLS authentication (HMAC firewall) > > To explain the concept of TLS authentication in simpler terms, the idea > here is to have a unique TLS key, a certificate, that is known and used by > the server and its clients. A shared secret if you will, that will be used > to digitally sign and verify packets in both directions. What this does is > make it possible for the OpenVPN protocol to easily recognize if packets > are truly VPN packets from a known VPN client, or if they are garbage > packets from unknown sources. Every OpenVPN packet by itself contains > encrypted information inside of it, but on top of that, the packet itself > is signed digitally...................." > My apologies, I meant with regards to the data packets rather than the control packets. In general though: I understand why packets are signed (with a TLS/HMAC/GCM tag). What I don't understand is why that tag is transmitted before the encrypted data rather than after the encrypted data. This choice has some impact with regards to streaming data transmission (e.g. in a hardware based crypto machine). Especially in telecom, latency and packet delay variation are extremely important parameters, which is why MACsec transmits the GCM tag at the end of the packet (right before the FCS (CRC)). Kind regards, Pieter Hulshoff
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
