[Swan-dev] Proposal: Do not retransmit IKEv1 reply for initial responder states
Tuomo Soini
tis at foobar.fi
Mon Mar 28 19:23:54 UTC 2016
On Sun, 27 Mar 2016 13:48:25 -0400 (EDT)
Paul Wouters <paul at nohats.ca> wrote:
> Aggressive mode is really broken in that retransmission of the
> responder can be needed. In this case:
>
> initiator AggrOutI1 ----->
> <----- AggrInI1OutR1 responder
> initiator AggrOutI2 -----X [dropped packet]
>
> Since the initiator is now "done", it won't retransmit. But the
> responder is not "done" as it is missing the last packet. Before
> this patch, it would retansmit AggrInI1OutR1 but that's exactly
> what we want to avoid as that could be a spoofed packet.
>
> If the initiator has enabled DPD, the connection will die/restart but
> that might much later on (eg 30 seconds later)
>
> Alternatively, we could add some code that checks on the initiator
> side for incoming traffic after a second or two, and if it does not
> see that to retransmit the AggrOutI2 packet.
>
> Is this worth fixing or not?
I guess this is worth fixing, we do have this feature still (support
for aggressive mode). Adding this logics should really be added to
initiator code if that is needed.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Swan-dev
mailing list