* About compression
@ 2017-07-31 16:06 Bzzzz
2017-07-31 16:10 ` Jason A. Donenfeld
0 siblings, 1 reply; 4+ messages in thread
From: Bzzzz @ 2017-07-31 16:06 UTC (permalink / raw)
To: WireGuard mailing list
Hi Jason,
is there a way at this time (or do you intend to add it) to compress WG
streams on the fly ? (something fast and quite light, such as eg: lz4)
Jean-Yves
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: About compression
2017-07-31 16:06 About compression Bzzzz
@ 2017-07-31 16:10 ` Jason A. Donenfeld
2017-07-31 16:57 ` Daniel Kahn Gillmor
2017-07-31 19:36 ` Bzzzz
0 siblings, 2 replies; 4+ messages in thread
From: Jason A. Donenfeld @ 2017-07-31 16:10 UTC (permalink / raw)
To: Bzzzz; +Cc: WireGuard mailing list
Hi Jean-Yves,
No, not a chance. Compression is really better left for upper layers.
I'm not sure I see the value in adding at layer 3. This is an
especially contentious issue because of the history of complex and
catastrophic interactions between compression and encryption (such as
the CRIME and BREACH attacks against TLS).
What workload are you currently experiencing that would measurably
benefit from having layer 3 compression?
Regards,
Jason
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: About compression
2017-07-31 16:10 ` Jason A. Donenfeld
@ 2017-07-31 16:57 ` Daniel Kahn Gillmor
2017-07-31 19:36 ` Bzzzz
1 sibling, 0 replies; 4+ messages in thread
From: Daniel Kahn Gillmor @ 2017-07-31 16:57 UTC (permalink / raw)
To: Jason A. Donenfeld, Bzzzz; +Cc: WireGuard mailing list
[-- Attachment #1: Type: text/plain, Size: 780 bytes --]
On Mon 2017-07-31 18:10:39 +0200, Jason A. Donenfeld wrote:
> No, not a chance. Compression is really better left for upper layers.
> I'm not sure I see the value in adding at layer 3. This is an
> especially contentious issue because of the history of complex and
> catastrophic interactions between compression and encryption (such as
> the CRIME and BREACH attacks against TLS).
I just wanted to second this response. Jason's making absolutely the
right choice here, since content-agnostic transports like wireguard have
no way of knowing whether a given stream is a mixture of
confidentiality-sensitive data and attacker-controlled data.
If your application layer knows that certain things can be safely
compressed, it should do the compression itself.
--dkg
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: About compression
2017-07-31 16:10 ` Jason A. Donenfeld
2017-07-31 16:57 ` Daniel Kahn Gillmor
@ 2017-07-31 19:36 ` Bzzzz
1 sibling, 0 replies; 4+ messages in thread
From: Bzzzz @ 2017-07-31 19:36 UTC (permalink / raw)
To: WireGuard mailing list
On Mon, 31 Jul 2017 18:10:39 +0200
"Jason A. Donenfeld" <Jason@zx2c4.com> wrote:
> especially contentious issue because of the history of complex and
> catastrophic interactions between compression and encryption (such as
> the CRIME and BREACH attacks against TLS).
Hmm, it just made it much more apparent.
Recently, nsa dismissed the elliptic curve crypto, however, even if I'm
not a mathematico-differencio-analyso-crypto god (but I compensate with
huge premonitions;), something is telling me it's because they can't
break it, compressed or not.
> What workload are you currently experiencing that would measurably
> benefit from having layer 3 compression?
It was more a generic question, somewhat linked to cell phone data
monthly quota, than something vital.
I take good note of your explanation and about what Daniel said,
which is quite logical (doing app level compression.)
Thanks to the both of you.
JY
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-07-31 19:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-31 16:06 About compression Bzzzz
2017-07-31 16:10 ` Jason A. Donenfeld
2017-07-31 16:57 ` Daniel Kahn Gillmor
2017-07-31 19:36 ` Bzzzz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.