[Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections
D. Hugh Redelmeier
hugh at mimosa.com
Mon Mar 2 14:59:58 UTC 2020
| commit 21100cee5f207c24ee55ad6c612a84a6140ba583
| Author: Paul Wouters <pwouters at redhat.com>
| Date: Sun Mar 1 21:46:17 2020 -0500
| IKEv2: Set keyingtries to 1 for Opportunistic Encryption connections.
| We cannot have unlimited keyingtries for Opportunistic, or else we gain
| infinite partial IKE SA's. But also, more than one makes no sense, since
| it will be installing a failureshunt (not negotiationshunt) on the 2nd
| keyingtry, and try to re-install another negotationshunt, ad nauseam.
Why would keyingtries have been set to something other than 1?
Either it has the default (0) or something explicitly set by the user
(which could be 0).
It seems to me that we should let the user set the value. We certainly
should not silently override a setting made by the user.
We should change the default for OE to 1.
At a minimum, if we override a value that the user specified, we
should issue a diagnostic (warning? error?).
More information about the Swan-dev