On Sun, 27 Mar 2016 13:48:25 -0400 (EDT) Paul Wouters <[email protected]> wrote:
> Aggressive mode is really broken in that retransmission of the > responder can be needed. In this case: > > initiator AggrOutI1 -----> > <----- AggrInI1OutR1 responder > initiator AggrOutI2 -----X [dropped packet] > > Since the initiator is now "done", it won't retransmit. But the > responder is not "done" as it is missing the last packet. Before > this patch, it would retansmit AggrInI1OutR1 but that's exactly > what we want to avoid as that could be a spoofed packet. > > If the initiator has enabled DPD, the connection will die/restart but > that might much later on (eg 30 seconds later) > > Alternatively, we could add some code that checks on the initiator > side for incoming traffic after a second or two, and if it does not > see that to retransmit the AggrOutI2 packet. > > Is this worth fixing or not? I guess this is worth fixing, we do have this feature still (support for aggressive mode). Adding this logics should really be added to initiator code if that is needed. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
