[Openswan Users] Connection not coming up automatically

Paul Wouters paul at xelerance.com
Wed Jun 28 05:31:33 CEST 2006


On Tue, 27 Jun 2006, Andy wrote:

> > It prevents your box from going down with a trivial DDOS attack when
> > Aggressive Mode is used.
>
> I believe you mentioned that before. Is that so hard to fix in the
> nhelpers=0 case?

It is unfixable, because of limitations in Aggressive Mode. You have to
do a DiffieHellman key generation upon receiving the first (bogus) packet.
With nhelpers, we launch these crypto operations as a low priority operation,
so that other connections don't die while such a DDOS would be in progress.

> > There are definately issues with nhelpers being non-zero.
> Indeed. Perhaps nhelpers=0 should be default?

I am thinking about that for openswan 2.4.x. (though not for #public)

Paul


More information about the Users mailing list