[GH-ISSUE #5042] [Feature Request] Enable kcp encryption

gitea-mirror commented

2026-05-05 14:31:27 -06:00

Owner

Copy link

Originally created by @f0re1gnKey on GitHub (Nov 2, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/5042

Describe the feature request

According to the description of kcp-go, without encryption

The contents of the packets are completely anonymous with encryption, including the headers (FEC, KCP), checksums, and contents. Note that no matter which encryption method you choose at the upper layer, if you disable encryption, the transmission will be insecure, as the header is plaintext and susceptible to tampering, such as jamming the sliding window size, round-trip time, FEC properties, and checksums. AES-128 is suggested for minimal encryption, as modern CPUs come with AES-NI instructions and perform better than salsa20 (check the table above).

Q: Should I enable encryption?
A: Yes, for the security of the protocol, even if the upper layer has encryption.

Even if the upper layer has used tls encryption, the control header of kcp still needs to be encrypted and protected.

Describe alternatives you've considered

No response

Affected area

Docs
Installation
Performance and Scalability
Security
User Experience
Test and Release
Developer Infrastructure
Client Plugin
Server Plugin
Extensions
Others

Originally created by @f0re1gnKey on GitHub (Nov 2, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/5042 ### Describe the feature request According to the description of kcp-go, without encryption The contents of the packets are completely anonymous with encryption, including the headers (FEC, KCP), checksums, and contents. Note that no matter which encryption method you choose at the upper layer, if you disable encryption, the transmission will be insecure, as the header is plaintext and susceptible to tampering, such as jamming the sliding window size, round-trip time, FEC properties, and checksums. AES-128 is suggested for minimal encryption, as modern CPUs come with AES-NI instructions and perform better than salsa20 (check the table above). Q: Should I enable encryption? A: Yes, for the security of the protocol, even if the upper layer has encryption. Even if the upper layer has used tls encryption, the control header of kcp still needs to be encrypted and protected. ### Describe alternatives you've considered _No response_ ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [x] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror closed this issue

2026-05-05 14:31:28 -06:00

gitea-mirror commented

2026-05-05 14:31:30 -06:00

Author

Owner

Copy link

@fatedier commented on GitHub (Nov 3, 2025):

frp does not aim to provide traffic obfuscation. In frp, KCP is used solely to improve throughput in poor/unstable (lossy) network conditions.

@fatedier commented on GitHub (Nov 3, 2025): frp does not aim to provide traffic obfuscation. In frp, KCP is used solely to improve throughput in poor/unstable (lossy) network conditions.

gitea-mirror commented

2026-05-05 14:31:30 -06:00

Author

Owner

Copy link

@f0re1gnKey commented on GitHub (Nov 3, 2025):

This issue is closed because the author has explicitly stated that the KCP will not be protected.

@f0re1gnKey commented on GitHub (Nov 3, 2025): This issue is closed because the author has explicitly stated that the KCP will not be protected.

gitea-mirror referenced this issue

2026-05-05 14:50:25 -06:00

[PR #3967] [MERGED] bump version to 0.54.0 #4875

No Branch/Tag specified