[Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections
Paul Wouters
paul at nohats.ca
Tue Mar 3 20:05:46 UTC 2020
On Tue, 3 Mar 2020, Paul Wouters wrote:
> Current shunt handling cannot deal with this, as the second keyingtries sometimes tries to install a second shunt, which sometimes “works” due to not being widened. This is causing customer issues that at resolved by setting it to 0.
I meant "resolved by setting it to 1".
> It is also unclear which if any shunt should be installed during keyingtries > 1
>
> Also, if your mesh is symmetric, it doesn’t actually help to try infinitely against a host that doesn’t have it. If that host gains it, the first plaintext will trigger that host to do OE, so there isn’t a delay in not having keyingtries=0 - you gain nothing from the infinite attempts.
Since there might be a better recovery for "private" conns with more
than 1 keyingtries, I changed it so that only keyingtries=0 is changed
to 1. If it is larger than 1, we leave it untouched. However, note that
this currently will run into shunt issues, so I do not recommend it now.
Paul
More information about the Swan-dev
mailing list