[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: can ISAKMP cookies be zero?
> Are 0 cookies prohibited? If so, where?
rfc's 2522 and 2408.
> Does anyone think 0 cookies should be allowed? If not, how should
> this be legislated?
well, they are only useful as anti-clogging tokens to reduce off-the-path
denial-of-service attacks if they are unpredictable. a value of 0 does
not satisfy this. photuris (rfc2522.txt) spells out
the cookie generation requirements and isakmp (rfc2408.txt) echoes
them in section 2.5.3. i'd say a 0 cookie does not satisfy requirement
2:
2. It must not be possible for anyone other than the issuing
entity to generate cookies that will be accepted by that
entity. This implies that the issuing entity must use local
secret information in the generation and subsequent
verification of a cookie. It must not be possible to deduce
this secret information from any particular cookie.
-gabriel
References: