[Swan-commit] Changes to ref refs/heads/master

Andrew Cagney cagney at vault.libreswan.fi
Sat Jan 26 17:33:26 UTC 2019

New commits:
commit eafd77a10708c322aa6d9e652fddec799b737ea4
Author: Andrew Cagney <cagney at gnu.org>
Date:   Fri Jan 25 14:06:14 2019 -0500

    ikev2: move DDOS et.al. checks to before state m/c
    This ensures that when DDOS the only responses to IKE_SA_INIT request
    with an invalid or missing cookie is either v2N_COOKIE or silence.
    And for drop_new_exchanges() things really are dropped early.
    Previously, because the checks were after the state machine (and prior
    to that, even later in the IKE_SA_INIT responder event processor), the
    state machine could be made to respond with v2_INVALID_SYNTAX even
    when DDOS or drop_new_exchanges().
    The one apparent downside is that the initial responder is pretty much
    always decoding new IKE_SA_INIT requests (the exceptions are
    drop_new_exchange() and retransmit).  However:
    - in the past this work was hiding in the state m/c, the change just
      makes it explict
    - because the DDOS cookie calculation needs v2Ni (if it wasn't for
      v2Ni things could be a lot simpler), the message needs to be decoded
      before DDOS can be handled
    - apply KISS - any competent DDOS attack is going to force us to
      compute the cookie (so no point in trying to avoid it)
    The code DDOS code is also tweaked adding more checks.  Per the RFC,
    it expects the V2N_COOKIE payload to be first.  rate_log() is used
    so some information is dumped before things go silent.
    (Tests with a missing Ni payload (no response) some unrelated but
    missing payload (v2N_COOKIE response) might be useful).

More information about the Swan-commit mailing list