[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: Shared keys vs. certificates performances (a.k.a "the need for speed")


  • Subject: Re: [Openvpn-users] Re: Shared keys vs. certificates performances (a.k.a "the need for speed")
  • From: Fabio Spelta <spelta@xxxxxxxx>
  • Date: Mon, 14 Mar 2005 14:52:21 +0100

Thank you for your in-depth reply.

James Yonan wrote:

With default TLS options, the encapsualtion overhead is 41 bytes, while the static key default is 44 bytes. Static key is somewhat less efficient in this regard because even though it saves one byte used by TLS to encode the key ID, it adds another 4 bytes because the sequence number must increase from 32 bits to 64 bits in order to be secure with static key usage (TLS gets away with the smaller sequence number because if it ever gets close to wrapping around, we can just trigger a new TLS handshake -- static keys need a large sequence number because they must be robust for long-term usage). So the net result is that TLS saves 3 bytes per packet on the encapsulation overhead compared to TLS usage.

...and I suppose that the cost of renegotiation is lower than the one of the "3 extra bytes" of every single packet, if there is high traffic over the link.

Check out the --fast-io flag.

Wow, I just discovered a new flag. Does the "Experimental" word in the man page perhaps mean that I should fear some BIG trouble by using it?

Thank you

Fabio


____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users