[Swan-dev] Proposal: Do not retransmit IKEv1 reply for initial responder states

Tuomo Soini tis at foobar.fi
Mon Mar 28 19:23:54 UTC 2016

On Sun, 27 Mar 2016 13:48:25 -0400 (EDT)
Paul Wouters <paul at nohats.ca> wrote:

> Aggressive mode is really broken in that retransmission of the
> responder can be needed. In this case:
>    initiator  AggrOutI1 ----->
>                         <----- AggrInI1OutR1   responder
>    initiator  AggrOutI2 -----X  [dropped packet]
> Since the initiator is now "done", it won't retransmit. But the
> responder is not "done" as it is missing the last packet. Before
> this patch, it would retansmit AggrInI1OutR1 but that's exactly
> what we want to avoid as that could be a spoofed packet.
> If the initiator has enabled DPD, the connection will die/restart but
> that might much later on (eg 30 seconds later)
> Alternatively, we could add some code that checks on the initiator
> side for incoming traffic after a second or two, and if it does not
> see that to retransmit the AggrOutI2 packet.
> Is this worth fixing or not?

I guess this is worth fixing, we do have this feature still (support
for aggressive mode). Adding this logics should really be added to
initiator code if that is needed.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Swan-dev mailing list