[Swan-commit] Changes to ref refs/heads/master

Paul Wouters paul at vault.libreswan.fi
Tue Oct 24 23:04:58 UTC 2017


New commits:
commit 129c3379851523b64bc2953bdffe86eb721198a9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 24 18:58:06 2017 -0400

    pluto: redo fix for 152d6d956 on initial response retransmit
    
    To prevent amplificatin attacks by IKEv1 retransmit, we changed
    our code in 152d6d956 to no longer retransmit the first responder
    packet. The method used was to change EVENT_v1_RETRANSMIT into
    EVENT_SA_EXPIRE. This has as side effect that these states linger
    for one hour before getting cleaned up.
    
    This patch changes the event back to EVENT_v1_RETRANSMIT. When this
    timer fires, it will skip the actual retransmit of the packet, while
    leaving all other retransmit logic the same. This results in the
    normal retransmit-timeout values being used to delete the state.
    
    This brings the time back from 1h to about 1 minute in the default
    configuration (0.5+1+2+4+8+16+32 seconds)
    
    is added to the timer.c co

commit 1dea52f3ab31508b32a6ef609456a1572ac15d11
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 24 18:56:58 2017 -0400

    pluto: Add --impair-drop-i2 to drop responses to initial response packet in IKEv1

commit cff3c0edcf6f97596c1021e7aef1182320c90fc9
Author: Paul Wouters <pwouters at redhat.com>
Date:   Tue Oct 24 18:55:49 2017 -0400

    testing: added ikev1-expire-r1-01-main and ikev1-expire-r1-02-aggr



More information about the Swan-commit mailing list