[Openswan dev] Re: [Openswan Users] Xauth Client extensions

Ken Bantoft ken at xelerance.com
Wed Apr 7 05:48:28 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Wed, 7 Apr 2004, Henrik Nordstrom wrote:

> On Tue, 6 Apr 2004 mcr at xelerance.com wrote:
> 
> > So, we will not put aggressive mode support into openswan 2.x until we
> > can:
> >
> > 1) put in both initiator and responder support
> 
> Both should be supported by OpenSWAN 1.0. Was supported in Super 
> Free/SWAN. The Aggressive mode implementation was always primarily tested 
> using Free/SWAN during the patch integration.

AFAIK, this is true - all of your patches are in Openswan 1.x tree.  
Nothing has been ported up to 2.x, however I do have a 1st cut patch in my 
inbox from someone.  It doesn't apply cleanly to HEAD, and doesn't compile 
yet either, but it's a start.

> There was some minor issues in key management which was noticeable in 
> responder mode, but my understanding is that these have all been fixed by 
> now. Maybe I am wrong.
> 
> Unfortunately due to other evenrs I have not been able to keep track of 
> OpenSWAN as much as I'd hoped.
> 
> > 2) implement CPU limits on responder support such that
> > a DoS is not so trivial to cause.
> 
> Always good.
> 
> > The hard part is the CPU limits - we have to change pluto such that it
> > it knows how much diffie-hellman work it has done, knows how much of its
> > timeslice is left, and can suspend computation on aggressive mode
> > clients and return to regular work.
> 
> Isn't similar limits needed on main mode negotiations? Both need the same
> amount of DH calculations don't they? I admit it was long since I worked 
> on aggressive mode, but I do not recall aggressive mode being different in 
> this regard..

It's primarily a DoS/CPU eating attack that is possible, as an evil client 
could initiate many aggressive mode connections for which DH would need to 
be done on each one. 


- -- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAc2v/PiOgilmwgkgRAsBAAJ9i/2gDOyYjIbZ6O+MdZjiJ7fCPHgCfQ8lC
XVKh0w8dv3Ot9EQLI7PH5aQ=
=acgi
-----END PGP SIGNATURE-----



More information about the Dev mailing list