[Openswan Users] Connection not coming up automatically
Paul Wouters
paul at xelerance.com
Wed Jun 28 05:31:33 CEST 2006
On Tue, 27 Jun 2006, Andy wrote:
> > It prevents your box from going down with a trivial DDOS attack when
> > Aggressive Mode is used.
>
> I believe you mentioned that before. Is that so hard to fix in the
> nhelpers=0 case?
It is unfixable, because of limitations in Aggressive Mode. You have to
do a DiffieHellman key generation upon receiving the first (bogus) packet.
With nhelpers, we launch these crypto operations as a low priority operation,
so that other connections don't die while such a DDOS would be in progress.
> > There are definately issues with nhelpers being non-zero.
> Indeed. Perhaps nhelpers=0 should be default?
I am thinking about that for openswan 2.4.x. (though not for #public)
Paul
More information about the Users
mailing list