[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

can ISAKMP cookies be zero?

To: IPsec List <ipsec@lists.tislabs.com>
Subject: can ISAKMP cookies be zero?
From: "D. Hugh Redelmeier" <hugh@mimosa.com>
Date: Tue, 8 Jun 1999 18:50:18 -0400 (EDT)
cc: "John D. Hardin" <jhardin@wolfenet.com>
Reply-To: hugh@mimosa.com
Sender: owner-ipsec@lists.tislabs.com

I don't think that ISAKMP should allow cookies to be zero, but I
cannot find an explicit prohibition.

There are hints in RFC 2412 section 2.4.3 and the second last
paragraph of section 6, and in RFC 2408 section 2.4.

If a responder cookie can be zero, it makes the case of the first row
in the table of RFC 2408 section 2.4 hard to distinguish from other
rows.

Pluto (the IKE daemon that I maintain) forbids 0 cookies.  The only
interop issue that has come up turned out to be a buggy implementation
(I got much thanks from implementor for finding his bug).

I think that the protocol can probably survive allowing 0 cookies, but
would be less robust.

Are 0 cookies prohibited?  If so, where?

Does anyone think 0 cookies should be allowed?  If not, how should
this be legislated?

Hugh Redelmeier
hugh@mimosa.com  voice: +1 416 482-8253

PS: Thanks to John Hardin for raising this issue.

Follow-Ups:

Re: can ISAKMP cookies be zero?

From: Gabriel Montenegro <gab@Eng.Sun.Com>

Re: can ISAKMP cookies be zero?

From: John Shriver <jas@shiva.com>

Prev by Date: RE: Comments on draft-ietf-ipsec-ike-01.txt (long)
Next by Date: Re: can ISAKMP cookies be zero?
Prev by thread: I-D ACTION:draft-ietf-ipsec-pki-req-02.txt
Next by thread: Re: can ISAKMP cookies be zero?
Index(es):
- Main
- Thread