XMPP Service Operators - 2024-05-22


  1. nuegia.net

    Some websites claim that WireGuard is faster then IPsec, but does that remain true with modern CPUs that have hardware acceleration for AES?

  2. Maranda

    > <nuegia.net> Some websites claim that WireGuard is faster then IPsec, but does that remain true with modern CPUs that have hardware acceleration for AES? That's not a claim it's just a fact

  3. nuegia.net

    what is?

  4. Maranda

    Irregardless that's not offloaded like IPSec

  5. Menel

    Wasn't wireguard invented afert every computer already had aes hardware acceleration? In my head aes acceleration is older then wireguard. So yes all test account that already in

  6. Maranda

    (for example: we get over 1Gb/s transits on site to site tunnels with WG while maybe 300Mb/s with IPSec with the same hardware)

  7. moparisthebest

    > Wasn't wireguard invented afert every computer already had aes hardware acceleration? In my head aes acceleration is older then wireguard. > So yes all test account that already in yes, much older

  8. nuegia.net

    Maranda, what about wireguard set to ciphers you have a hardware accelerated implementation of. not chacha20/poly1305

  9. nuegia.net

    but AES256

  10. nuegia.net

    Wireguard's cipher is optimized for CPUs that don't have AESNI feature

  11. nuegia.net

    most prosumer grade and up CPUs support this, even mips

  12. nuegia.net

    octeon MIPS

  13. Menel

    Just use wireguard and don't worry about anything. It works and doesn't stress cpu.

  14. Maranda

    nuegia.net I don't know about an implementation of WG that let's you set ciphers, also the former ciphers are better in every aspect compared to AES256-CBC/CTR/GCM irregardless

  15. Maranda

    So I'm not sure what are you on about.

  16. nuegia.net

    you can't change ciphers with wireguard only ipsec

  17. jonas’

    that's a feature

  18. jonas’

    much less complexity

  19. nuegia.net

    'better' is situational. a hardware implementation of AES can be way faster and just as secure (if not more) as chacha20

  20. nuegia.net

    if chacha20 is only implemented in software

  21. nuegia.net

    chacha20 was only ever intended as a software fallback that's 'good enough' while also not melting mobile (smartphone) cpus

  22. Maranda

    nuegia.net to improve throughput with IPSec IKE or IKEv2 the only way has always been setting weaker ciphers, which brought more additional issues than it solved, so since we're almost in 2025 ditching a protocol that is dumb at NAT traversal (even with all the caveats) and that is blocked at every corner in transit, is a good idea and that's all I have to add to the topic.

  23. Maranda

    Modern ARM cpus are more than capable at handling WG even without offloading.

  24. nuegia.net

    There's no NAT in IPv6 so the mode IPsec is in doesn't really matter. Also AES isn't a weaker cipher and most cpus with hardware implementations can do multi-gigabit sometimes 10+ gigabit with aesni. Also this does matter for embedded cpus which most networking appliances use.

  25. jonas’

    this is not the wireguard discussion room, so please take it elsewhere.

  26. Maranda

    nuegia.net at this rate I think you're arguing over nothing, so do as you wilt. You have been given enough advice already.

  27. nuegia.net

    not really

  28. worlio.com

    So uh... on the topic of XMPP... Anybody just tired of blocking MUC PMs outright to everyone?

  29. jonas’

    worlio.com, what do you mean?

  30. worlio.com

    So uh... on the topic of XMPP... Anybody just tired of blocking MUC PMs outright to everyone when it becomes a problem (aka muc_block_pm)?

  31. worlio.com

    » [03:14:45] <jonas’> worlio.com, what do you mean? My bad, my edit to make it clearer took too long).

  32. worlio.com

    » [03:14:45] <jonas’> worlio.com, what do you mean? My bad, my edit to make it clearer took too long.

  33. jonas’

    I think for public rooms blocking PMs between non-mods is not the worst thing to do.

  34. worlio.com

    Yes but I hate doing that because there are useful cases for MUC PMs between members.

  35. jonas’

    worlio.com, right. I have no good ideas for solutions unfortunately.

  36. worlio.com

    I wasn't really conveying I have a problem though because if you're using Prosody, I recently made and pushed a mod called muc_restrict_pm.

  37. worlio.com

    I just wanted to let people know that.

  38. Menel

    It still blocks pm for every (participant), the difference to the other module is, it is per room, isn't it?

  39. worlio.com

    muc_restrict_pm is configurable per-room.

  40. worlio.com

    You can set what affiliation to require rather than block for all particpants.

  41. MSavoritias (fae,ve)

    ah its an allowlist right? interesting

  42. MSavoritias (fae,ve)

    from the description at least i read

  43. worlio.com

    https://xmpp.worlio.com:5281/file_share/MsVXScQLkKMCWOSgTSuou2nY/psishare-jIaxHu.png

  44. worlio.com

    It adds these room configuration options.

  45. worlio.com

    This still allows PMing moderators regardless (for voicing).

  46. MSavoritias (fae,ve)

    ah okay

  47. worlio.com

    This still allows PMing moderators regardless (for voice requesting).

  48. worlio.com

    It uses the affiliation, so you can assign people as members like you would if you wanted to set the room to moderated.

  49. MSavoritias (fae,ve)

    fyi ejabberd has this already. prosody doesnt apparently

  50. worlio.com

    I'm not really aware of ejabberd by much, I like Prosody too much.

  51. Menel

    A per room config is nice to have.

  52. unix.dog

    Yeah ejabberd has that by default

  53. unix.dog

    It's a really nice feature

  54. unix.dog

    For my public room I default all users to Visitors without voice, then they can either use XMPP voice requests or PM a moderator

  55. unix.dog

    visitors aren't allowed to PM others

  56. unix.dog

    also it looks like my friend Squeaky Latex Folf doesn't have voice in here

  57. Menel

    See https://xmpp.org/community/channels/operators/#how-do-i-get-channel-membership about voice. The "don't fret - - not required part" is obsolete at the moment

  58. Menel

    See https://xmpp.org/community/channels/operators/#who-is-authbot https://xmpp.org/community/channels/operators/#how-do-I-get-channel-membership about voice. The "don't fret - - not required part" is obsolete at the moment

  59. unix.dog

    ah okay ty

  60. MattJ

    The irony of discussing ejabberd having the ability to block PMs and Prosody not, in a channel hosted on Prosody where PMs are in fact blocked... :)

  61. Menel

    Seems prosody is approaching having it three times (three different modules)

  62. worlio.com

    » [13:26:18] <MattJ> The irony of discussing ejabberd having the ability to block PMs and Prosody not, in a channel hosted on Prosody where PMs are in fact blocked... :) Is the server running this MUC not using a module for it?

  63. worlio.com

    I think that was the focus. From my understanding, the option is in ejabberd by default.

  64. Menel

    Well in prosody everything is a module. Even client connections

  65. Brian

    Blocking PMs in a Prosody-hosted MUC is a community module, so yeah... there is that. On the other hand, yes, everything is a module in Prosody.

  66. worlio.com

    Well now it can be blocked per-muc was the point.

  67. Brian

    I guess that does depend on which module you use. Now that I scroll up a bit, making it more flexible is nice.

  68. Brian

    It would also be nice if there weren't half a dozen modules doing the same thing slightly differently. I made a slight mod to the block_strangers module to add an exception list, and was invited to create a new module for that, but it seems to me that patching the old one (the list is optional, after all) would be better. Just my opinion...