[Swan-dev] redirect and cookies
Paul Wouters
paul at nohats.ca
Tue Jul 21 01:42:11 UTC 2020
On Sun, 12 Jul 2020, Vukasin Karadzic wrote:
I pushed a change so that redirect only finds established IKE SA's to
redirect and not IPsec SA's. I've updated the tests that showed some
minor output changes.
Other than man page entry verification, I think the feature is done for
now?
Although I'm a little puzzled by the support for DDOS COOKIE along with
REDIRECT in IKE_SA_INIT. The RFC does not mention cookies, so no
guidance there.
Possible scenarios:
1) server is too busy but no DDOS, sends redirects to everyone in IKE_SA_INIT
2) server is too busy but no DDOS, sends redirects for specific connection in IKE_AUTH
These dont do any COOKIES. Now there is a DDOS attack:
3) server is too busy due to DDOS, requiring cookies but then still serving clients without redirect
4) server is too busy due to DDOS, requiring cookies but then redirecting some connections in IKE_AUTH
5) server is too busy due to DDOS, requiring cookies and then redirecting everyone in IKE_SA_INIT
6) server is too busy due to DDOS, not requiring cookies and still sending redirects to everyone IN IKE_SA_INIT
The question is, does 5) gain us anything over 6) ? In both cases we
dont care about their packet content, we are just sending them all away.
I guess at this point, we support it all because the two methods don't
look at each other. And someone (Andrew?) ensured we handle the cases
where both cookie and redirect happens.
Generating the cookie is pretty cheap, so I don't think it matters much.
So I think I'm okay with the current method. But if anyone thinks we
should maybe not support 5), please speak out. I could be convinced.
Paul
More information about the Swan-dev
mailing list