[Openswan dev] Re: [Openswan Users] Xauth Client extensions
Henrik Nordstrom
hno at marasystems.com
Wed Apr 7 01:38:11 CEST 2004
On Tue, 6 Apr 2004 mcr at xelerance.com wrote:
> So, we will not put aggressive mode support into openswan 2.x until we
> can:
>
> 1) put in both initiator and responder support
Both should be supported by OpenSWAN 1.0. Was supported in Super
Free/SWAN. The Aggressive mode implementation was always primarily tested
using Free/SWAN during the patch integration.
There was some minor issues in key management which was noticeable in
responder mode, but my understanding is that these have all been fixed by
now. Maybe I am wrong.
Unfortunately due to other evenrs I have not been able to keep track of
OpenSWAN as much as I'd hoped.
> 2) implement CPU limits on responder support such that
> a DoS is not so trivial to cause.
Always good.
> The hard part is the CPU limits - we have to change pluto such that it
> it knows how much diffie-hellman work it has done, knows how much of its
> timeslice is left, and can suspend computation on aggressive mode
> clients and return to regular work.
Isn't similar limits needed on main mode negotiations? Both need the same
amount of DH calculations don't they? I admit it was long since I worked
on aggressive mode, but I do not recall aggressive mode being different in
this regard..
Regards
Henrik
More information about the Dev
mailing list