Hi, > I'll have a look what's the best approach to implement a fix.
A patch is gone into SVN, see [1]. This should fix a potential DoS attack scenario on the pool. However, there is still no guarantee for this uniqueness check. A peer can still set up multiple IKE_SAs at the same time, but subsequent attempts will delete established SAs. The number of simultaneously set up SAs is limited by other DoS protection mechanisms: This will limit a potential attack to currently 5 pool addresses per client. It might be difficult to apply the patch to older releases, as we have done a lot of refactorings in that code. It's probably easier to wait for 4.2.10 (next week?!). Regards Martin [1]http://trac.strongswan.org/changeset/4810 _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
