[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Wed May 14 17:44:51 EEST 2014

New commits:
commit 7b86594dedf746e2f5056114741d47bc25461279
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed May 14 10:44:44 2014 -0400

    update changes

commit f853f44177155f75ff2910a8fe2b96d95f8050e5
Author: Paul Wouters <pwouters at redhat.com>
Date:   Wed May 14 10:22:45 2014 -0400

    DPD: openbsd isakmpd bug workaround for duplicate DPD seqno
    openbsd mistakenly re-uses the same DPD sequence number when its DPD
    probe did not receive an answer. If the probe hit the other endpoint,
    but got lost on the return, it means openbsd sends a duplicate DPD seqno,
    which according to RFC 3706 Section 7 "Security Considerations" we detect
    as a replayed packet that we drop.
    This patch introduced the same kludge openbsd uses to interop with
    itself. That is, we allow and answer 3 dupliates before we remain quiet
    and assume it is a DDOS attack.
    If you read this and have openbsd commit access, please do:
    isakmpd/dpd.c around line 350:
     LOG_DBG((LOG_MESSAGE, 10, "dpd_check_event: "
      "peer not responding, retry %u of %u",
      isakmp_sa->dpd_failcount, DPD_RETRANS_MAX));
    - ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE, isakmp_sa->dpd_seq);
    + ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE, isakmp_sa->dpd_seq++);

More information about the Swan-commit mailing list