[Swan-dev] IKEv1: Remove all IPsec SA's of a connection when newest SA is removedrefs/heads/master
Paul Wouters
paul at nohats.ca
Wed Aug 26 20:03:29 EEST 2015
On Wed, 26 Aug 2015, D. Hugh Redelmeier wrote:
> | From: Antony Antony <antony at phenome.org>
>
> | I am wondering woudn't this situation avoided by enabling "initial-contact"?
>
> It is an article of faith that initial-contact is an invitation to DoS
> and should be ignored. For this to be true, it must not be
> authenticated, and I don't remember whether this is the case (and I
> cannot check at the moment).
It is not authenticated, but you can remember the payload and once the
connection has authenticated, you can kill the old one based on having
received the payload.
But if you run with uniqueids=yes (the default) then I think we already
do this regardless of seeing the initial-contact. Perhaps there is a
race condition here?
Paul
More information about the Swan-dev
mailing list