[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

COOKIES in STATUS NOTIFY Messages

To: Slava Kavsan <bkavsan@ire-ma.com>
Subject: COOKIES in STATUS NOTIFY Messages
From: Tero Kivinen <kivinen@ssh.fi>
Date: Sat, 6 Nov 1999 21:43:01 +0200 (EET)
Cc: ipsec <ipsec@lists.tislabs.com>, ipsra <ietf-ipsra@vpnc.org>
In-Reply-To: <3822E99F.3BD0423@ire-ma.com>
Organization: SSH Communications Security Oy
References: <3822E99F.3BD0423@ire-ma.com>
Sender: owner-ipsec@lists.tislabs.com

Slava Kavsan writes:
> What is the purpose of having COOKIES in STATUS NOTIFY Messages?

In normal case the cookies identify the IKE SA for which the notify
message conserns. 

> Aren't these COOKIES the same as in the ISAKMP Header that accompanies
> these messages?

Not always. For example if you have already existing IKE SA and you
start rekeying which will fail, then you might send the AUTHENTICATION
FAILED notification using that old IKE SA to get protection for that.
In this case the ISAKMP header cookies are the old existing IKE SA and
the cookies inside the notify payload inidicate failed IKE SA. 

> If this is the case - does anyone checks if they are the same? Or these
> COOKIES simply useless stuff and no one cares?

I think most of the people just don't care.
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

COOKIES in STATUS NOTIFY Messages

From: Slava Kavsan <bkavsan@ire-ma.com>

Prev by Date: VPN<->Firewall
Next by Date: Re[2]: Main mode using pre-shared keys
Prev by thread: COOKIES in STATUS NOTIFY Messages
Next by thread: RSIP and IPsec
Index(es):
- Main
- Thread