[Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections

Paul Wouters paul at nohats.ca
Thu Mar 5 20:23:39 UTC 2020


On Thu, 5 Mar 2020, Antony Antony wrote:

> it is OK to change the default and possibly change back when bug is fixed.

I don't think so. If a host on the internet has OE with keyingtries=0,
if it gets 1 (spoofed) packet from any random host, it will forever try
to send IKE packets to it. That is called a DDoS attack. We had
something similar for an IKEv1 retransmit and people got pretty upset
and called it a CVE.

> BTW: keyingtries=infinite loose enum is ideal:)

keyingtries=%forever is an alias for 0. Yours added a yes/no keyword
with no mapping to 0 and yes mapping to 1 and that complication caused
more troubles, like that workaround for addconn passert :)

Paul



More information about the Swan-dev mailing list