[strongSwan-dev] DoS protection questions

Tobias Brunner tobias at strongswan.org
Wed Apr 4 12:12:15 CEST 2018


> Furthermore, I am afraid we actually queue a lot of jobs (more than one) when the counter is decreased by one.
> I think it may be the root problem?

Yes, until the next IKE_SA is checked in packets will be processed.

> The only visible effect is to set a job limit, but since it is global we could prevent high priority jobs to run properly.

It's not a limit on the number of jobs, it's a limit that causes
IKE_SA_INITs to get dropped when the number of jobs exceeds the
configured number.

Regards,
Tobias


More information about the Dev mailing list