Changes between Version 3 and Version 4 of DataChannelOffload
- Timestamp:
- 01/15/22 16:19:36 (2 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
DataChannelOffload
v3 v4 1 1 = OpenVPN Data Channel Offload (aka OVPN-DCO) 2 3 2 == Intro 4 5 The expression ''Data Channel Offload'' refers to any technique implemented with the goal of moving the processing of data packets from the userspace program to a separate entity. 3 The expression ''Data Channel Offload'' refers to any technique implemented with the goal of moving the processing of data packets from the OpenVPN userspace program to a separate entity. 6 4 7 5 Given that OpenVPN spends a considerable amount of time passing data packets back and forth from kernel-land to user-land, where decryption and re-routing happens, it was decided to offload the data processing directly to the kernel. 8 As direct consequence, data packets are not required to leave the kernelspace anymore, thus boosting the performance of ongoingVPN connections.6 As direct consequence, data packets are not required to leave the kernelspace anymore, thus boosting the performance of active VPN connections. 9 7 10 8 === Before DCO 11 12 9 The picture below depicts how data packets flow on a generic OpenVPN server: 13 10 … … 24 21 25 22 === Introducing DCO 23 To overcome the limitations described in the section above we have developed ''ovpn-dco'', a Linux kernel module designed to work back-to-back with the OpenVPN userspace software. 24 When a VPN connection is established, being it on a client, on a server or on a p2p instance, the userspace process will first perform the usual handshake and will then pass the data channel parameters to ovpn-dco, so that it can take over from there. At this point, data packets are all handled in kernelspace and are never sent up to the userspace process. 26 25 26 The picture below helps to visualize the difference with to the basic scenario shown above: 27 27 28 {image here} 29 30 Context switch is therefore reduced to the minimum and packet processing can take advantage of the kernel concurrency model. 31 The two main OpenVPN functions, crypto and routing, are implemented using the kernel provided API. 32 For what concerns routing, the system routing table is directly used to understand if packets have to re-routed directly to another peer (i.e. client-to-client mode), without the need to ask the userspace process. 33 34 OpenVPN in userspace is still in charge of handling the control channel, where all the complex and less throughput-critical operations take place. This is considered an advantage as it allowed to keep the complexity of the ovpn-dco kernel module to the minimum and thus reduce the attack surface. 35 36 === DCO on Windows 37 A similar kernel module has also been developed for Windows, namely ''ovpn-dco-win''. 38 It is a device driver implemented in kernelspace that substitutes all previous drivers used by OpenVPN (i.e.