[strongSwan-dev] DoS protection questions
Emeric POUPON
emeric.poupon at stormshield.eu
Thu Apr 5 11:16:56 CEST 2018
>> Furthermore, I am afraid we actually queue a lot of jobs (more than one) when
>> the counter is decreased by one.
>> I think it may be the root problem?
>
> Yes, until the next IKE_SA is checked in packets will be processed.
Do you want that I fill an issue for that?
>
>> The only visible effect is to set a job limit, but since it is global we could
>> prevent high priority jobs to run properly.
>
> It's not a limit on the number of jobs, it's a limit that causes
> IKE_SA_INITs to get dropped when the number of jobs exceeds the
> configured number.
Ok, it does the job then.
Thanks again for your answers.
Regards,
Emeric
More information about the Dev
mailing list