[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Fri Sep 25 05:28:55 EEST 2015
New commits:
commit e849ad332a9ba9045034ee6912b155c4fc9f33b9
Author: Paul Wouters <pwouters at redhat.com>
Date: Thu Sep 24 22:23:46 2015 -0400
pluto: Introduce STF_DROP to drop an IKE packet without response
This is used when in IKE_INIT request is received but hits an OE
clear foodgroup. There is no point sending the message as it is
unauthenticated and cannot be trusted by the initiator. And the
responder is revealing itself to the initiator while it is
configured to never talk to that particular initiator. With this
changes, the system does not need to enforce this policy using a
firewall.
Note that this technically violates the IKEv2 specification that
states we MUST answer (with NO_PROPOSAL_CHOSEN)
This commit also removes the obsoleted/unused STF_STOLEN that was
part of the old taproom code.
More information about the Swan-commit
mailing list