[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: can ISAKMP cookies be zero?



> Are 0 cookies prohibited?  If so, where?

rfc's 2522 and 2408.

> Does anyone think 0 cookies should be allowed?  If not, how should
> this be legislated?

well, they are only useful as anti-clogging tokens to reduce off-the-path
denial-of-service attacks if they are unpredictable. a value of 0 does
not satisfy this. photuris (rfc2522.txt) spells out 
the cookie generation requirements and isakmp (rfc2408.txt) echoes
them in section 2.5.3. i'd say a 0 cookie does not satisfy requirement
2:
      2.    It must not be possible for anyone other than the issuing
            entity to generate cookies that will be accepted by that
            entity.  This implies that the issuing entity must use local
            secret information in the generation and subsequent
            verification of a cookie.  It must not be possible to deduce
            this secret information from any particular cookie.



-gabriel



References: