[Swan-commit] Changes to ref refs/heads/master
cagney at vault.libreswan.fi
Sat Jan 26 17:33:26 UTC 2019
Author: Andrew Cagney <cagney at gnu.org>
Date: Fri Jan 25 14:06:14 2019 -0500
ikev2: move DDOS et.al. checks to before state m/c
This ensures that when DDOS the only responses to IKE_SA_INIT request
with an invalid or missing cookie is either v2N_COOKIE or silence.
And for drop_new_exchanges() things really are dropped early.
Previously, because the checks were after the state machine (and prior
to that, even later in the IKE_SA_INIT responder event processor), the
state machine could be made to respond with v2_INVALID_SYNTAX even
when DDOS or drop_new_exchanges().
The one apparent downside is that the initial responder is pretty much
always decoding new IKE_SA_INIT requests (the exceptions are
drop_new_exchange() and retransmit). However:
- in the past this work was hiding in the state m/c, the change just
makes it explict
- because the DDOS cookie calculation needs v2Ni (if it wasn't for
v2Ni things could be a lot simpler), the message needs to be decoded
before DDOS can be handled
- apply KISS - any competent DDOS attack is going to force us to
compute the cookie (so no point in trying to avoid it)
The code DDOS code is also tweaked adding more checks. Per the RFC,
it expects the V2N_COOKIE payload to be first. rate_log() is used
so some information is dumped before things go silent.
(Tests with a missing Ni payload (no response) some unrelated but
missing payload (v2N_COOKIE response) might be useful).
More information about the Swan-commit