On Wed, 26 Aug 2015, D. Hugh Redelmeier wrote:
| From: Antony Antony <[email protected]>
| I am wondering woudn't this situation avoided by enabling "initial-contact"?
It is an article of faith that initial-contact is an invitation to DoS
and should be ignored. For this to be true, it must not be
authenticated, and I don't remember whether this is the case (and I
cannot check at the moment).
It is not authenticated, but you can remember the payload and once the
connection has authenticated, you can kill the old one based on having
received the payload.
But if you run with uniqueids=yes (the default) then I think we already
do this regardless of seeing the initial-contact. Perhaps there is a
race condition here?
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
