search for: hdrnestlimit

...if you require an outer ESP between peers, it's a matter of how much you trust your peer. FreeBSD will not panic, you may however be able to "store" packets in the network stack for IPv4 and see the netstat -s -p ipcomp packets in counter go up quickly. IPv6 has a net.inet6.ip6.hdrnestlimit of 15 by default and will throw away the packet after that many iterations. A mitigation change for the directly recursive case was just committed to HEAD: http://svn.freebsd.org/viewvc/base?view=revision&revision=220247 Similar patches for other branches (untested) are available: HEAD and S...

....gif.max_nesting: 1 net.link.gif.parallel_tunnels: 0 net.link.log_link_state_change: 1 net.inet6.ip6.forwarding: 0 net.inet6.ip6.redirect: 1 net.inet6.ip6.hlim: 64 net.inet6.ip6.maxfragpackets: 6400 net.inet6.ip6.accept_rtadv: 0 net.inet6.ip6.keepfaith: 0 net.inet6.ip6.log_interval: 5 net.inet6.ip6.hdrnestlimit: 50 net.inet6.ip6.dad_count: 1 net.inet6.ip6.auto_flowlabel: 1 net.inet6.ip6.defmcasthlim: 1 net.inet6.ip6.gifhlim: 30 net.inet6.ip6.kame_version: FreeBSD net.inet6.ip6.use_deprecated: 1 net.inet6.ip6.rr_prune: 5 net.inet6.ip6.v6only: 1 net.inet6.ip6.rtexpire: 3600 net.inet6.ip6.rtminexpire: 10 net...