Remove unused labels, functions, and function prototypes.

Remove unused variables.

branches: 1.51.10;
PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.

branches: 1.50.12; 1.50.16;
Some logging improvements.

Fix handling of deletion notification.

branches: 1.48.2;
From Roman Hoog Antink <rha@open.ch>: Accept DPD messages with cookies
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.

branches: 1.47.2; 1.47.6;
directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free

Explicitly compare return value of cmpsaddr() against a return value
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.

From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference
that might occur after removing peers from the config and then reloading.

branches: 1.44.2;
Fix my previous patch to not call purge_remote() twice. Change the place
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).

Improve DPD sequence checks to allow any reply within valid sequence window
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.

added a specific script hook when a dead peer is detected

Get rid of the evil CMPSADDR macro. Trac #295.

From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
NAT-T port information. This might break compatibility with some kernels,
but as discussed this is the proper way to pass NAT-T ports and the broken
kernels need to be fixed.

From Tomas Mraz: Remove variable that is not really used; only referenced
while uninitialized causing valgrind error.

Orignally from Bin Li: Fix possible memory corruption in binsanitize().

Support multiple anonymous remotes and decide remoteconf based on identity,
received certificates and other information. General code clean up.

branches: 1.36.2;
Detect if monotonic system clock is available, and use it for relative
time measurements to avoid complite hang if time jumps backwards.

rewrite local address detection
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()

branches: 1.34.4;
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
in remote conf.

Change struct sched to be allocated be the caller to avoid some memory
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.

Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs

Clean up notification payload handling. Handle INITIAL-CONTACT notification
in last main mode exchange (delayed) and during quick mode exchanges.

Original patch from Atis Elsts:
Fix a double memory free and a memory corruption (LIST_REMOVE() on
an uninserted node) in some error handling paths.

From Timo Teras: fix some %d to %zu (size_t values)

Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.

branches: 1.27.2;
From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().

branches: 1.26.2;
From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation

Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.

branches: 1.24.2;
From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.

From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).

branches: 1.22.4; 1.22.8;
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues

added some debug for DELETE_SA process

Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code

NULL sched check is now done in SCHED_KILL

Removed a debug printf....

fills creation date of generated SPDs

From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().

From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.

branches: 1.14.4;
From Joy Latten: Add support for SELinux security contexts. Also cleanup the
libipsec interface for adding and updating security associations.

branches: 1.13.2;
Check for NULL pointer (COverity 4175)

From Matthew Grooms:
ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)

Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.

Merge ipsec-tools 0.6.3 import

Update to ipsec-tools 0.6.1

Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.

Add safety checks for informational messages

Backout botched patch, approved by Emmanuel Dreyfus.

Safety checks on informational messages

More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

Bug fixes from the ipsec-tools 0.6 branch:
- Fix NAT-T problems that prevented multiple peers behind the same NAT
to talk to the same machine outside the NAT. This also require kernel
fixes (already committed eralier)
- Fix a LP64 bug
- Fix NAT-T RFC conformance bugs (missing non ESP marker in packets)
- Add a -p option to setkey to display ports that could be used for ESP
over UDP when printing policies

Fix simple DES support (security problems for racoon to racoon setups)
Fix broken generated policies flush

branches: 1.1.1;
Initial revision

PR/51682: Avoid DoS with fragment out of order insertion; keep fragments
sorted in the list.

Some logging improvements.

Fix handling of deletion notification.

branches: 1.48.2;
From Roman Hoog Antink <rha@open.ch>: Accept DPD messages with cookies
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.

branches: 1.47.2; 1.47.6;
directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free

Explicitly compare return value of cmpsaddr() against a return value
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.

From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference
that might occur after removing peers from the config and then reloading.

branches: 1.44.2;
Fix my previous patch to not call purge_remote() twice. Change the place
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).

Improve DPD sequence checks to allow any reply within valid sequence window
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.

added a specific script hook when a dead peer is detected

Get rid of the evil CMPSADDR macro. Trac #295.

From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
NAT-T port information. This might break compatibility with some kernels,
but as discussed this is the proper way to pass NAT-T ports and the broken
kernels need to be fixed.

From Tomas Mraz: Remove variable that is not really used; only referenced
while uninitialized causing valgrind error.

Orignally from Bin Li: Fix possible memory corruption in binsanitize().

Support multiple anonymous remotes and decide remoteconf based on identity,
received certificates and other information. General code clean up.

branches: 1.36.2;
Detect if monotonic system clock is available, and use it for relative
time measurements to avoid complite hang if time jumps backwards.

rewrite local address detection
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()

branches: 1.34.4;
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
in remote conf.

Change struct sched to be allocated be the caller to avoid some memory
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.

Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs

Clean up notification payload handling. Handle INITIAL-CONTACT notification
in last main mode exchange (delayed) and during quick mode exchanges.

Original patch from Atis Elsts:
Fix a double memory free and a memory corruption (LIST_REMOVE() on
an uninserted node) in some error handling paths.

From Timo Teras: fix some %d to %zu (size_t values)

Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.

branches: 1.27.2;
From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().

branches: 1.26.2;
From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation

Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.

branches: 1.24.2;
From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.

From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).

branches: 1.22.4; 1.22.8;
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues

added some debug for DELETE_SA process

Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code

NULL sched check is now done in SCHED_KILL

Removed a debug printf....

fills creation date of generated SPDs

From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().

From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.

branches: 1.14.4;
From Joy Latten: Add support for SELinux security contexts. Also cleanup the
libipsec interface for adding and updating security associations.

branches: 1.13.2;
Check for NULL pointer (COverity 4175)

From Matthew Grooms:
ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)

Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.

Merge ipsec-tools 0.6.3 import

Update to ipsec-tools 0.6.1

Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.

Add safety checks for informational messages

Backout botched patch, approved by Emmanuel Dreyfus.

Safety checks on informational messages

More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

Bug fixes from the ipsec-tools 0.6 branch:
- Fix NAT-T problems that prevented multiple peers behind the same NAT
to talk to the same machine outside the NAT. This also require kernel
fixes (already committed eralier)
- Fix a LP64 bug
- Fix NAT-T RFC conformance bugs (missing non ESP marker in packets)
- Add a -p option to setkey to display ports that could be used for ESP
over UDP when printing policies

Fix simple DES support (security problems for racoon to racoon setups)
Fix broken generated policies flush

branches: 1.1.1;
Initial revision

Some logging improvements.

Fix handling of deletion notification.

branches: 1.48.2;
From Roman Hoog Antink <rha@open.ch>: Accept DPD messages with cookies
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.

branches: 1.47.2; 1.47.6;
directly call isakmp_ph1delete() instead of scheduling isakmp_ph1delete_stub(), as it is useless an can lead to memory access after free

Explicitly compare return value of cmpsaddr() against a return value
define to make it more obvious what is the intended action. One more
return value is also added, to fix comparison of security policy
descriptors. Namely, getsp() should not allow wildcard matching (as the
comment says, it does exact matching) - otherwise we get problems when
kernel has generic policy with no ports, and a second similar policy with
ports.

From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference
that might occur after removing peers from the config and then reloading.

branches: 1.44.2;
Fix my previous patch to not call purge_remote() twice. Change the place
where purge_remote() is called. This fixes also a possible crash from the
same patch since ph1->remote can be NULL (when we are responder and config
is not yet selected).

Improve DPD sequence checks to allow any reply within valid sequence window
to be proof of livelyness. This can improves things if there's random
packet delays, or if racoon is not getting enough CPU time.

added a specific script hook when a dead peer is detected

Get rid of the evil CMPSADDR macro. Trac #295.

From Yvan Vanhullebus: Use SADB_X_EXT_NAT_T_* consistently for passing the
NAT-T port information. This might break compatibility with some kernels,
but as discussed this is the proper way to pass NAT-T ports and the broken
kernels need to be fixed.

From Tomas Mraz: Remove variable that is not really used; only referenced
while uninitialized causing valgrind error.

Orignally from Bin Li: Fix possible memory corruption in binsanitize().

Support multiple anonymous remotes and decide remoteconf based on identity,
received certificates and other information. General code clean up.

branches: 1.36.2;
Detect if monotonic system clock is available, and use it for relative
time measurements to avoid complite hang if time jumps backwards.

rewrite local address detection
make some functions static that arr not needed globally
rework how fd_set is construction for the main loop select()

branches: 1.34.4;
Implement ISAKMP SA rekeying configurable with rekey {on|off|force} option
in remote conf.

Change struct sched to be allocated be the caller to avoid some memory
allocations. Optimize scheduling algorithm to not scan all entries in
the main loop.

Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs

Clean up notification payload handling. Handle INITIAL-CONTACT notification
in last main mode exchange (delayed) and during quick mode exchanges.

Original patch from Atis Elsts:
Fix a double memory free and a memory corruption (LIST_REMOVE() on
an uninserted node) in some error handling paths.

From Timo Teras: fix some %d to %zu (size_t values)

Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.

branches: 1.27.2;
From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().

branches: 1.26.2;
From Cyrus Rahman: Allow interface reconfiguration when running in privilege separation mode, document privilege separation

Refactor admin socket event protocol to be less error prone. Backwards compatibility is provided. Submitted by Timo Teras.

branches: 1.24.2;
From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.

From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).

branches: 1.22.4; 1.22.8;
use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues

added some debug for DELETE_SA process

Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code

NULL sched check is now done in SCHED_KILL

Removed a debug printf....

fills creation date of generated SPDs

From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().

From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.

branches: 1.14.4;
From Joy Latten: Add support for SELinux security contexts. Also cleanup the
libipsec interface for adding and updating security associations.

branches: 1.13.2;
Check for NULL pointer (COverity 4175)

From Matthew Grooms:
ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)

Migration of ipsec-tools to NetBSD CVS part 2: resolving the import conflicts.
Since we previously had a release branch and we import here the HEAD of CVS,
let's assume all local changes are to be dumped. Local patches should have
been propagated upstream, anyway.

Merge ipsec-tools 0.6.3 import

Update to ipsec-tools 0.6.1

Resolve conflicts caused by recent ipsec-tools-0.6.1rc1 import by prefering
the newer software. Some useful local change might have been overwritten,
we'll take care of this soon.

Add safety checks for informational messages

Backout botched patch, approved by Emmanuel Dreyfus.

Safety checks on informational messages

More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

Bug fixes from the ipsec-tools 0.6 branch:
- Fix NAT-T problems that prevented multiple peers behind the same NAT
to talk to the same machine outside the NAT. This also require kernel
fixes (already committed eralier)
- Fix a LP64 bug
- Fix NAT-T RFC conformance bugs (missing non ESP marker in packets)
- Add a -p option to setkey to display ports that could be used for ESP
over UDP when printing policies

Fix simple DES support (security problems for racoon to racoon setups)
Fix broken generated policies flush

branches: 1.1.1;
Initial revision

Migrate ipsec-tools CVS to cvs.netbsd.org

Import ipsec-tools 0.6.1

Update ipsec-tools to 0.6.1rc1
Most of the changes since 0.6b4 have already been committed to the NetBSD
tree. This upgrade fixes some IPcomp and NAT-T related problems that were
left unadressed in the NetBSD tree.

branches: 1.1.1.3.2;
Import ipsec-tools ipsec-tools-0_6-20050314

Import ipsec-tools 0.6 branch as of 2005/02/23. News from last imported version
according to ipsec-tools' ChangeLog:

2005-02-23 Emmanuel Dreyfus <manu@netbsd.org>

* configure.ac, src/racoon/{Makefile.am|crypto_openssl.c}: optionnal
support for patented algorithms: IDEA and RC5.
* src/racoon/{isakmp_xauth.c|main.c}: don't initialize RADIUS if it
is not required in the configuration
* src/racoon/isakmp.c: do not reject addresses for which kernel
refused UDP encapsulation, they can still be used for non NAT-T
traffic (eg: NAT-T enabled racoon on non NAT-T enabled kernel)

2005-02-18 Emmanuel Dreyfus <manu@netbsd.org>

* src/racoon/{main.c|eaytest.c|plairsa-gen.c}
src/setkey/setkey.c: don't use fuzzy paths for package_version.h

2005-02-18 Yvan Vanhullebus <vanhu@free.fr>

* src/racoon/isakmp_inf.c: Purge generated SPDs when getting a
related DELETE_SA
* src/racoon/pfkey.c: do NOT unbindph12() when SA acquire

2005-02-17 Emmanuel Dreyfus <manu@netbsd.org>

From Fred Senault <fred.letter@lacave.net>
* src/racoon/remoteconf.c: Fix a bug in script init

2005-02-17 Yvan Vanhullebus <vanhu@free.fr>

* src/racoon/ipsec_doi.c: Workaround for phase1 lifetime checks

2005-02-15 Michal Ludvig <michal@logix.cz>

* configure.ac: Changed --enable-natt_NN to --enable-natt-versions=NN,NN

Import ipsec-tools (tag ipsec-tools-0_6-base in ipsec-tools CVS)
ipsec-tools is a fork from KAME racoon/libipsec/setkey, with many
enhancements.

Apply patch (requested by adrianp in ticket #1763):
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Fix a denial of service vulnerability (CVE-2007-1841) which could allow an
attacker to disrupt a connection between IPSec peers.

branches: 1.1.1.3.2.7.2; 1.1.1.3.2.7.4;
Apply patch (requested by manu in ticket #981):
Update ipsec-tools to version 0.6.3.

Apply patch (requested by tron in ticket #741):
Update ipsec-tools to version 0.6.1.

Backout ticket 579 because it causes build failures.

Pull up revision 1.5 (requested by manu in ticket #579):
Safety checks on informational messages

Pull up revision 1.4 (requested by manu in ticket #277):
More NAT-T fixes for the situation where racoon acts as a VPN client
Flush SA and generated SP on DPD timeout and deletion payloads

Pull up revision 1.3 (requested by manu in ticket #215):
Bug fixes from the ipsec-tools 0.6 branch:
- Fix NAT-T problems that prevented multiple peers behind the same NAT
to talk to the same machine outside the NAT. This also require kernel
fixes (already committed eralier)
- Fix a LP64 bug
- Fix NAT-T RFC conformance bugs (missing non ESP marker in packets)
- Add a -p option to setkey to display ports that could be used for ESP
over UDP when printing policies

Pull up revision 1.2 (requested by manu in ticket #179):
Fix simple DES support (security problems for racoon to racoon setups)
Fix broken generated policies flush

Apply patch (requested by adrianp in ticket #1763):
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Fix a denial of service vulnerability (CVE-2007-1841) which could allow an
attacker to disrupt a connection between IPSec peers.

Apply patch (requested by adrianp in ticket #1763):
crypto/dist/ipsec-tools/src/racoon/isakmp_inf.c
Fix a denial of service vulnerability (CVE-2007-1841) which could allow an
attacker to disrupt a connection between IPSec peers.

Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).

branches: 1.13.2.2.2;
Pull up following revision(s) (requested by manu in ticket #830):

Import ipsec-tools 0.7

branches: 1.13.2.1.2;
Upgrade ipsec-tools to 0.7-beta3 (Requested by manu in ticket #634).

Upgrade ipsec-tools to release 0.7.1 (requested by manu in ticket #1183).

Sync with netbsd-4.

Sync w/ NetBSD-4-RC_1

From Roman Hoog Antink <rha@open.ch>: Fixes a null pointer dereference
that might occur after removing peers from the config and then reloading.

From Tomas Mraz: Remove variable that is not really used; only referenced
while uninitialized causing valgrind error.

Orignally from Bin Li: Fix possible memory corruption in binsanitize().

Fixed port match in purge_ipsec_spi() when NAT-T enabled and trying to purge non NAT-T SAs

Original patch from Atis Elsts:
Fix a double memory free and a memory corruption (LIST_REMOVE() on
an uninserted node) in some error handling paths.

From Timo Teras: fixed some %d to %zu (size_t values).

Use utility functions to evaluate and manipulate network port values. No functional changes. Submitted by Timo Teras.

From Timo Teras: extract port numbers from SADB_X_EXT_NAT_T[SD]PORT if present in purge_ipsec_spi().

From Timo Teras: reset iph1->dpd_r_u in the scheduler's callback, to avoid access to freed memory.

From Krzysztof Oledzki: added some details to some logs (also reported new getph1byaddr() arg).

use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues

added some debug for DELETE_SA process

Store the DPD main scheduler in ph1 handler, to be able to cancel it when removing the handler, and some minor cleanups in DPD code

NULL sched check is now done in SCHED_KILL

Removed a debug printf....

fills creation date of generated SPDs

From "Uncle Pedro" on sf.net: Just expire a ph1 handle when receiving a DELETE-SA instead of calling purge_remote().

From "Uncle Pedro" on sf.net: When receiving an ISAKMP DELETE_SA, get the cookie of the SA to be deleted from payload instead of just deleting the ISAKMP SA used to protect the informational exchange.

use a single PATH_IPSEC_H to fix some path_to_ipsec.h issues

file isakmp_inf.c was added on branch matt-mips64 on 2007-07-18 12:07:52 +0000

sync with HEAD

sync with head.

sync with head.

Merge in changes between wrstuden-revivesa-base-2 and
wrstuden-revivesa-base-3.

Sync with wrstuden-revivesa-base-2.

Sync w/ -current. 34 merge conflicts to follow.

Apply patch (requested by manu/spz in #378):
Downgrade ipsec-tools to 0.7.1nb1.

Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html

Sync with HEAD

sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")

sync with head

Some logging improvements.

Fix handling of deletion notification.

From Roman Hoog Antink <rha@open.ch>: Accept DPD messages with cookies
also in reversed order for compatiblity. At least Cisco 836 running
IOS 12.3(8)T does this.

resync from head

resync with head