[Swan-dev] Set keyingtries to 1 for Opportunistic Encryption connections
Paul Wouters
paul at nohats.ca
Thu Mar 5 20:23:39 UTC 2020
On Thu, 5 Mar 2020, Antony Antony wrote:
> it is OK to change the default and possibly change back when bug is fixed.
I don't think so. If a host on the internet has OE with keyingtries=0,
if it gets 1 (spoofed) packet from any random host, it will forever try
to send IKE packets to it. That is called a DDoS attack. We had
something similar for an IKEv1 retransmit and people got pretty upset
and called it a CVE.
> BTW: keyingtries=infinite loose enum is ideal:)
keyingtries=%forever is an alias for 0. Yours added a yes/no keyword
with no mapping to 0 and yes mapping to 1 and that complication caused
more troubles, like that workaround for addconn passert :)
Paul
More information about the Swan-dev
mailing list