[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Tue Oct 24 23:04:58 UTC 2017
New commits:
commit 129c3379851523b64bc2953bdffe86eb721198a9
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Oct 24 18:58:06 2017 -0400
pluto: redo fix for 152d6d956 on initial response retransmit
To prevent amplificatin attacks by IKEv1 retransmit, we changed
our code in 152d6d956 to no longer retransmit the first responder
packet. The method used was to change EVENT_v1_RETRANSMIT into
EVENT_SA_EXPIRE. This has as side effect that these states linger
for one hour before getting cleaned up.
This patch changes the event back to EVENT_v1_RETRANSMIT. When this
timer fires, it will skip the actual retransmit of the packet, while
leaving all other retransmit logic the same. This results in the
normal retransmit-timeout values being used to delete the state.
This brings the time back from 1h to about 1 minute in the default
configuration (0.5+1+2+4+8+16+32 seconds)
is added to the timer.c co
commit 1dea52f3ab31508b32a6ef609456a1572ac15d11
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Oct 24 18:56:58 2017 -0400
pluto: Add --impair-drop-i2 to drop responses to initial response packet in IKEv1
commit cff3c0edcf6f97596c1021e7aef1182320c90fc9
Author: Paul Wouters <pwouters at redhat.com>
Date: Tue Oct 24 18:55:49 2017 -0400
testing: added ikev1-expire-r1-01-main and ikev1-expire-r1-02-aggr
More information about the Swan-commit
mailing list