[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cookie verification
Valery,
Despite the current implementations,
I wonder if such amount of SA proposals are
intrinsically necessary.
"Valery Smyslov" <svan@trustworks.com> wrote:
>>On 9 Dec 99, at 10:55, Sami Vaarala wrote:
>>> Indeed it is: the first message does not require a responder
>>> to store state. An approach similar to this one (with
>>> regards to re-sending the data in the first message later)
>>> could work for other IKE modes as well, without making the
>>> exchanges longer. I wonder if this could be done easily
>>> using a "standard transform" to a given stateful mode?
>>
>>I thought about this also. Resending the data in the first message
>>later has its disadvantages when the amount of data is big enough.
>>And it is the first IKE packet where this often may be true - unlike
>>the other IKE packets, which size is limited (unless you send a lot
>>of certs or VendorID payloads), the first packet may contain SA with
>>hundreds of proposals. Resending such amound of data only for anti-
>>clogging purposes seems not to be a reasonable. Perhaps adding one
>>more roundtrip of pure cookie exchange would be better. But,
>>unfortunately, in any case it requires modification of IKE.
--^^--
Kanta
Follow-Ups:
References: