[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[4]: IKMP Security Exchange Negotiation
Colin,
Thanks for the comments.
>X-Disclaimer: Nyx is a public access Unix system run by the University
> of Denver. The University has neither control over nor
> responsibility for the opinions or correct identity of users.
>
>Paul Lambert <Paul_Lambert-P15452@email.mot.com> wrote:
>(Is that "P15452" a cookie to prevent flooding by junk mail?)
I wish, it is more like corporate castor oil that is added by our X.400 gateway
...
>
>> Example 5 - The cookies are needed when a recipient feels threatened (purhaps
>> it just recieved a bogus DH initiation). It is then very important to allow
>> the recipient to request a cookie using a stateless response:
>> -> (DH,DH1),(KC,)
>> <- (KC,)
>> -> (KC,KC1)
>> <- (KC,KC2)
>> ... etc.
>
>Please note that the initial setup message in Karn Cookies is stateless,
>i.e. the "KC1" sent from intiator is 0 bits long. (Well, okay, it's the
>IP address which is of non-zero size, but it's always included so you
>can send the reply, so the size attributable to the protocol is 0.)
>I was thinking of this for Photuris, although your technique is more general.
>So the second message would be KC2 (the cookie).
I had abstracted the exchanges and ignored the details of the Karn Cookies.
>The KC exchange is a bit odd, because it's to be used in *addition* to
>another protocol. I.e. you then go on to send (DH,DH1),KC2.
I had assumed a bundling approach where the KC included a Diffie-Hellman or
similar key establishment. For this example I really should have referenced
Photuris and documented a PH exchange.
I had not considered treating the KC or similar flooding prevent mechanisms
separate from the key establishment. Previously, I have viewed the main
protocol exchange as two steps: key establishment and attribute negotiation.
It looks like a thrid optional cookie step could be added. Cookies could be
built into a key exchange, or intergrated into the IKMP as separate processing.
Regards,
Paul