On 23-04-15 08:58, Gert Doering wrote: > On Wed, Apr 22, 2015 at 05:25:54PM -0700, blz wrote: >>> The server will just update its "what IP/port is the client on?" table >>> entry, without restarting anything. >> >> What I'm wondering is how secure that is, such as how easily one could >> fake such a reconnect to get in on someone else's session, where they >> wouldn't even need a key? I hope this is just good ol' fashion paranoia >> on my part, but it would be nice to know. Thanks. > > The server updates its table entry only if the packet's HMAC validates, > read "the client knows the key material for that particular session".
It is even better: the server checks both the HMAC /and/ replay protection before updating its table entry. This means that an attacker also can't use older, previously valid, packets to mount a denial-of-service attack. -Steffan ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
