[Openswan dev] Re: [Openswan Users] Xauth Client extensions
ken at xelerance.com
Wed Apr 7 05:48:28 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 7 Apr 2004, Henrik Nordstrom wrote:
> On Tue, 6 Apr 2004 mcr at xelerance.com wrote:
> > So, we will not put aggressive mode support into openswan 2.x until we
> > can:
> > 1) put in both initiator and responder support
> Both should be supported by OpenSWAN 1.0. Was supported in Super
> Free/SWAN. The Aggressive mode implementation was always primarily tested
> using Free/SWAN during the patch integration.
AFAIK, this is true - all of your patches are in Openswan 1.x tree.
Nothing has been ported up to 2.x, however I do have a 1st cut patch in my
inbox from someone. It doesn't apply cleanly to HEAD, and doesn't compile
yet either, but it's a start.
> There was some minor issues in key management which was noticeable in
> responder mode, but my understanding is that these have all been fixed by
> now. Maybe I am wrong.
> Unfortunately due to other evenrs I have not been able to keep track of
> OpenSWAN as much as I'd hoped.
> > 2) implement CPU limits on responder support such that
> > a DoS is not so trivial to cause.
> Always good.
> > The hard part is the CPU limits - we have to change pluto such that it
> > it knows how much diffie-hellman work it has done, knows how much of its
> > timeslice is left, and can suspend computation on aggressive mode
> > clients and return to regular work.
> Isn't similar limits needed on main mode negotiations? Both need the same
> amount of DH calculations don't they? I admit it was long since I worked
> on aggressive mode, but I do not recall aggressive mode being different in
> this regard..
It's primarily a DoS/CPU eating attack that is possible, as an evil client
could initiate many aggressive mode connections for which DH would need to
be done on each one.
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
The future is here. It's just not evenly distributed yet.
-- William Gibson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Dev