[Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections

Antony Antony antony at phenome.org
Tue Mar 3 05:38:08 UTC 2020

On Mon, Mar 02, 2020 at 09:59:58AM -0500, D. Hugh Redelmeier wrote:
> | commit 21100cee5f207c24ee55ad6c612a84a6140ba583
> | Author: Paul Wouters <pwouters at redhat.com>
> | Date:   Sun Mar 1 21:46:17 2020 -0500
> | 
> |     IKEv2: Set keyingtries to 1 for Opportunistic Encryption connections.
> |     
> |     We cannot have unlimited keyingtries for Opportunistic, or else we gain
> |     infinite partial IKE SA's. But also, more than one makes no sense, since
> |     it will be installing a failureshunt (not negotiationshunt) on the 2nd
> |     keyingtry, and try to re-install another negotationshunt, ad nauseam.
> Why would keyingtries have been set to something other than 1?
> Either it has the default (0) or something explicitly set by the user 
> (which could be 0).
> It seems to me that we should let the user set the value.

+1 I prefer when a user set non default add warning this would eat resources 
and not override.

>  We certainly should not silently override a setting made by the user. 
> We should change the default for OE to 1.
> At a minimum, if we override a value that the user specified, we
> should issue a diagnostic (warning? error?).

I prefer pluto do not override explicit user settings. If the user set non 
default pluto value pluto should not replace it.  With warning or not!

Think of small mesh settings, where it is ok to try infinitely. Just like a
connection.  Also such heuristics make it harder to debug.
This seems too biased for 0/0 case. Which we should help by setting default.

More information about the Swan-dev mailing list