[Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections

Antony Antony antony at phenome.org
Thu Mar 5 18:59:47 UTC 2020

On Tue, Mar 03, 2020 at 03:05:46PM -0500, Paul Wouters wrote:
> On Tue, 3 Mar 2020, Paul Wouters wrote:
> > Current shunt handling cannot deal with this, as the second keyingtries sometimes tries to install a second shunt, which sometimes “works” due to not being widened. This is causing customer issues that at resolved by setting it to 0.
> I meant "resolved by setting it to 1".
> > It is also unclear which if any shunt should be installed during keyingtries > 1
> > 
> > Also, if your mesh is symmetric, it doesn’t actually help to try infinitely against a host that doesn’t have it. If that host gains it, the first plaintext will trigger that host to do OE, so there isn’t a delay in not having keyingtries=0 - you gain nothing from the infinite attempts.
> Since there might be a better recovery for "private" conns with more
> than 1 keyingtries, I changed it so that only keyingtries=0 is changed
> to 1. If it is larger than 1, we leave it untouched. However, note that
> this currently will run into shunt issues, so I do not recommend it now.

it is OK to change the default and possibly change back when bug is fixed.  
To me current behaviour sounds like overriding the user setting of 0. If 
user set 0 => infinite try. From what I read here, pluto will override to 1.  
My preference leave it to zero.  However, if the user has not set it, for OE 
initiator change to 1. 

In the current situation how would user set high number? 99999, and not 0. 

BTW: keyingtries=infinite loose enum is ideal:) 

More information about the Swan-dev mailing list