[Swan-dev] when to abort retransmits ?
Paul Wouters
paul at nohats.ca
Tue May 22 15:01:01 UTC 2018
On Tue, 22 May 2018, Andrew Cagney wrote:
> The same packet len, or the same packet? It doesn't take much for
> fragments to all be the same size.
> Per earlier post, pluto, looking at send_recorded_v2_ike_msg() should
> send all the fragments (unfortunately there's no debug log to confirm
> this, just lots of same-sized sends).
I don't know. I will see if I still have the logs.
> However, where pluto is screwing up is by not also checking the
> fragment number. It should only re-transmit on reception of the first
> (or last?) fragment. Sending all fragments back for every fragment
> received is excessive.
Possibly it should wait until it has received a whole list of fragments?
> You're suspecting that the iPhone can't decrypt the fragmented reply,
No. I think it can decrypt it fine, but didn't like the content. For
example an AUTH failure of the responder.
> or never gets one of the fragments? If the iPhone did receive all the
> fragments but didn't like the auth then it should come back with a new
> informational(delete) exchange.
Depends on the kind of AUTH failure? If it is a CA it doesn't trust
sure. But if the AUTH failed integrity, then perhaps the packet was
mangled and it should try and get a new copy via retransmit ?
Paul
More information about the Swan-dev
mailing list