[Swan-dev] Proposal: Do not retransmit IKEv1 reply for initial responder states

Tuomo Soini tis at foobar.fi
Mon Mar 28 19:23:54 UTC 2016


On Sun, 27 Mar 2016 13:48:25 -0400 (EDT)
Paul Wouters <paul at nohats.ca> wrote:

> Aggressive mode is really broken in that retransmission of the
> responder can be needed. In this case:
> 
>    initiator  AggrOutI1 ----->
>                         <----- AggrInI1OutR1   responder
>    initiator  AggrOutI2 -----X  [dropped packet]
> 
> Since the initiator is now "done", it won't retransmit. But the
> responder is not "done" as it is missing the last packet. Before
> this patch, it would retansmit AggrInI1OutR1 but that's exactly
> what we want to avoid as that could be a spoofed packet.
> 
> If the initiator has enabled DPD, the connection will die/restart but
> that might much later on (eg 30 seconds later)
> 
> Alternatively, we could add some code that checks on the initiator
> side for incoming traffic after a second or two, and if it does not
> see that to retransmit the AggrOutI2 packet.
> 
> Is this worth fixing or not?

I guess this is worth fixing, we do have this feature still (support
for aggressive mode). Adding this logics should really be added to
initiator code if that is needed.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Swan-dev mailing list