[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Wed May 14 17:44:51 EEST 2014
New commits:
commit 7b86594dedf746e2f5056114741d47bc25461279
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed May 14 10:44:44 2014 -0400
update changes
commit f853f44177155f75ff2910a8fe2b96d95f8050e5
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed May 14 10:22:45 2014 -0400
DPD: openbsd isakmpd bug workaround for duplicate DPD seqno
openbsd mistakenly re-uses the same DPD sequence number when its DPD
probe did not receive an answer. If the probe hit the other endpoint,
but got lost on the return, it means openbsd sends a duplicate DPD seqno,
which according to RFC 3706 Section 7 "Security Considerations" we detect
as a replayed packet that we drop.
This patch introduced the same kludge openbsd uses to interop with
itself. That is, we allow and answer 3 dupliates before we remain quiet
and assume it is a DDOS attack.
If you read this and have openbsd commit access, please do:
isakmpd/dpd.c around line 350:
LOG_DBG((LOG_MESSAGE, 10, "dpd_check_event: "
"peer not responding, retry %u of %u",
isakmp_sa->dpd_failcount, DPD_RETRANS_MAX));
message_send_dpd_notify(isakmp_sa,
- ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE, isakmp_sa->dpd_seq);
+ ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE, isakmp_sa->dpd_seq++);
More information about the Swan-commit
mailing list