On Thu, 5 Mar 2020, Antony Antony wrote:
it is OK to change the default and possibly change back when bug is fixed.
I don't think so. If a host on the internet has OE with keyingtries=0, if it gets 1 (spoofed) packet from any random host, it will forever try to send IKE packets to it. That is called a DDoS attack. We had something similar for an IKEv1 retransmit and people got pretty upset and called it a CVE.
BTW: keyingtries=infinite loose enum is ideal:)
keyingtries=%forever is an alias for 0. Yours added a yes/no keyword with no mapping to 0 and yes mapping to 1 and that complication caused more troubles, like that workaround for addconn passert :) Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
