"Cipher = none" doesn't seem to be working properly
Guus Sliepen
guus at tinc-vpn.org
Sun Aug 7 18:02:14 CEST 2011
On Sun, Aug 07, 2011 at 10:57:31AM -0400, Brian Prodoehl wrote:
> I have a simple pair of nodes set up, connected wirelessly, with tincd
> 1.0.16 running in switch mode. Setting Cipher and Digest to "none",
> and Compression to 0, the bridge is still CPU-bound, with most of
> tincd's CPU time spent in libcrypto. I narrowed it down to this line
> in net_setup.c:
>
> myself->connection->outcipher = EVP_bf_ofb();
>
> It looks as though all outgoing data is encrypted with blowfish,
> regardless of the Cipher setting. I pulled that assignment of
> outcipher up to match what happens with incipher, and then my bridge
> throughput doubled and tincd is no longer spending all that time in
> libcrypto. I didn't have a chance to test other Cipher settings, so
> what I did may completely break encryption. How should outcipher be
> set?
The Cipher option only affects the algorithm for UDP packets. Apparently, most
of your traffic is tunneled via TCP. The protocol does allow a configurable
algorithm for the TCP connection however, but it specifically requires a stream
cipher, whereas UDP packets can use any cipher mode.
I might add another option to set a different algorithm for the meta
connections, but I don't think I want to change the behaviour of the Cipher
option in the 1.0 branch of tinc.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20110807/2bd03b5d/attachment.pgp>
More information about the tinc
mailing list