# The IKE Scanner (ike-scan) is Copyright (C) 2003 Roy Hills, NTA Monitor Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
#
# If this license is unacceptable to you, I may be willing to negotiate
# alternative licenses (contact ike-scan@nta-monitor.com).
#
# $Id: ike-backoff-patterns,v 1.15 2003/07/11 10:44:25 rsh Exp $
#
# backoff-patterns -- Backoff patterns file for ike-scan
#
# Author: Roy Hills <Roy.Hills@nta-monitor.com>
#
# Format:
# Implementation_Name<Tab>Backoff_Pattern
#
# Implementation_Name is a descriptive name for the IKE implementation
# (and version if applicable).  Backoff_Pattern is the observed IKE
# retransmission backoff pattern for this implementation.
#
# The backoff pattern is specified as a comma-separated list of backoff
# times in seconds.  The first number is always zero and represents the first
# packet received.  Subsequent numbers represent the expected delay in
# seconds after the previous packet.  For example, "0, 2, 2, 2" means that a
# total of four packets are sent with a delay of two seconds between each one.
#
# The numbers in the backoff pattern can be decimal numbers e.g. 1.5 for
# one and a half seconds.  You can specify up to a maximum of 6 digits
# after the decimal point (microsecond resolution), although anything
# beyond millisecond resolution is not really practical.  ike-scan uses
# a timeval struct to store the backoff pattern entries.
#
# You may also specify an per-pattern-entry "fuzz" value in milliseconds
# by appending /<fuzz> to the backoff time.  This will override the default
# fuzz for that time only.  The fuzz value specifies how close the specified
# time must be to the observed time for a match.  E.g. a fuzz of 0 means that
# the observed timing must match exactly and a fuzz of 1000 means that the
# times must be within one second of each other (1000ms = 1sec).  If no
# per-pattern-entry fuzz value is specified then a default fuzz value of 100ms
# (defined by DEFAULT_PATTERN_FUZZ in ike-scan.h) is applied.  This default
# value may be changed with the --fuzz option to ike-scan.
#
# Lines beginning with '#' and blank lines are ignored.
#
# The input format is quite strict.  In particular, the separator between
# the implementation name and the backoff pattern must be a single TAB and
# not a space, multiple tabs or spaces, or a mixture of tabs and spaces.
#
# If you have problems adding entries, run ike-scan as:
# ike-scan -v -v -v -o <any-target>
# To dump the backoff pattern table.
#
# You are encouraged to send comments, improvements or suggestions to
# me at ike-scan@nta-monitor.com.
# In particular, I would like you to submit any new patterns that you
# discover.  See: http://www.nta-monitor.com/ike-scan/submit.htm
# For details of how to submit new backoff patterns.
#

# Discovered by: Roy Hills, November 2002
# Observed on: Cisco 2503 running IOS 11.3(11b)T2
# Observed on: Cisco PIX (unknown model) running (unknown version)
# Note:	I've had a report of Cisco IOS 12.2(2)T having the pattern
#	0,10,10,10,10 which incorrectly matches Watchguard Firebox.
#	Thanks to Adam Scott for this observation.
Cisco IOS / PIX	0, 15, 15

# 1st Pattern Discovered by: Roy Hills, November 2002
# Observed on: Cisco VPN Concentrator 3005 running (unknown version)
# Observed on: VPN 3000 Concentrator Version 3.6.3.Rel Oct 04 2002 16:23:00
# 2nd Pattern Discovered by: Guy Widloecher, March 2003
# Observed on: Cisco VPN 3005 Concentrator Version 3.5.2
Cisco VPN Concentrator	0, 8, 8, 8
Cisco VPN Concentrator	0, 8, 8

# Discovered by: Roy Hills, December 2002
# Observed on: Checkpoint Firewall-1 4.0 SP7 on Windows NT Workstation 4.0 SP6a
Firewall-1 4.0	0, 3, 3, 3, 3, 6, 6, 6, 6, 6, 6, 6

# Discovered by: Roy Hills, November 2002
# Observed on: Checkpoint Firewall-1 4.1 SP6 on Windows NT Server 4.0 SP6a
# Observed on: Checkpoint Firewall-1 NG base on Windows NT Server 4.0 SP6a
# Observed on: Checkpoint Firewall-1 NG FP2 on Windows NT Server 4.0 SP6a
Firewall-1 4.1/NG	0, 2, 2, 2, 2, 2, 2, 4, 4, 4, 4, 4

# Discovered by: Roy Hills, December 2002
# Observed on: FreeS/WAN 1.9 on Debian Linux 2.2r7 (Potato) with 2.2.17 Kernel
Linux FreeS/WAN	0, 10, 20

# Discovered by: Roy Hills, November 2002
# Observed on: Nortel Contivity 2500, OS version V4.06-120
# Observed on: Nortel Contivity 1600, OS version V3.60-45
Nortel Contivity	0, 16, 16, 16

# Discovered by: Roy Hills, December 2002
# Observed on: Watchguard Firebox 700 v6.1
Watchguard Firebox	0, 10, 10, 10, 10, 10

# Discovered by: Roy Hills, December 2002
# Observed on: Windows 2000 Server SP1
Windows-2000	0, 1, 2, 4, 8, 16, 32

# 1st pattern Discovered by: Thomas Walpuski, Jan 2003
# Observed on: Various OpenBSD systems running isakmpd
# 2nd pattern discovered by: Marco Ivaldi <raptor@mediaservice.net>, Jan 2003
# Observed on: OpenBSD 3.2
# Observed on: FreeBSD 4.7-Stable with isakmpd-20021118 and OpenBSD 3.1
# Note: OpenBSD isakmpd is highly configurable, so it's difficult to get one
#       pattern which will match all possible backoff pattern.
#       Hakan Olsson has informed me that the actual algorithm used by isakmpd
#	is "5 + 2*<retrans#>" which can be found in transport.c, ca line 310.
#	Both patterns match this algorithm: the first with the default
#	retransmission limit of 3 and the second with retransmits set to 5.
#	It has also been pointed out that isakmpd can run on many platforms
#	other than FreeBSD and OpenBSD, so the inclusion of these OS names in
#	the pattern are misleading.  However, I'm leaving the names unchanged
#	in case someone relies on them in the program output.
FreeBSD/OpenBSD-isakmpd	0, 7, 9, 11
FreeBSD/OpenBSD-isakmpd	0, 7, 9, 11, 13, 15

# Discovered by: Paul van Maaren, January 2003
# Observed on: FreeBSD-4.7 STABLE with racoon-20021120a
FreeBSD-racoon	0, 20, 20, 20, 20, 20

# Discovered by: Iain Lewis, February 2003
# Observed on: Netscreen 500
netscreen	0, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4

# Discovered by: Doug Monroe, January 2003
# Observed on: Watchguard SOHO v5.1.7
# Note:	There is quite a bit of variation with this pattern, hence the
#	per-entry fuzz specifications.
watchguard-soho	0, 1/500, 9.5/3000, 1.5/2000, 9.5/3000, 1.5/2000, 9.5/3000, 1.5/2000, 9.5/3000, 1.5/2000, 9.5/3000, 1.5/2000

# Discovered by: Christopher Harrington, February 2003
# Observed on: SonicWall Pro 200
# Note:	There is quite a bit of variation with this pattern, hence the
#	per-entry fuzz specifications.
sonicwall-pro	0, 6.5/1500, 9/1000, 13/2000, 22/3000
