[Openswan dev] Re: [Openswan Users] Xauth Client extensions

Henrik Nordstrom hno at marasystems.com
Wed Apr 7 01:38:11 CEST 2004


On Tue, 6 Apr 2004 mcr at xelerance.com wrote:

> So, we will not put aggressive mode support into openswan 2.x until we
> can:
>
> 1) put in both initiator and responder support

Both should be supported by OpenSWAN 1.0. Was supported in Super 
Free/SWAN. The Aggressive mode implementation was always primarily tested 
using Free/SWAN during the patch integration.

There was some minor issues in key management which was noticeable in 
responder mode, but my understanding is that these have all been fixed by 
now. Maybe I am wrong.

Unfortunately due to other evenrs I have not been able to keep track of 
OpenSWAN as much as I'd hoped.

> 2) implement CPU limits on responder support such that
> a DoS is not so trivial to cause.

Always good.

> The hard part is the CPU limits - we have to change pluto such that it
> it knows how much diffie-hellman work it has done, knows how much of its
> timeslice is left, and can suspend computation on aggressive mode
> clients and return to regular work.

Isn't similar limits needed on main mode negotiations? Both need the same
amount of DH calculations don't they? I admit it was long since I worked 
on aggressive mode, but I do not recall aggressive mode being different in 
this regard..

Regards
Henrik



More information about the Dev mailing list