[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: isakmp cookies field

To: ipsec@lists.tislabs.com
Subject: RE: isakmp cookies field
From: Shoichi Sakane <sakane@kame.net>
Date: Mon, 06 Aug 2001 23:48:19 +0900
In-Reply-To: Your message of "Mon, 6 Aug 2001 10:34:44 -0400 "<8B204D152222D51182B70001028841372024CC@postmaster.cryptek.com>
References: <8B204D152222D51182B70001028841372024CC@postmaster.cryptek.com>
Sender: owner-ipsec@lists.tislabs.com

>  > could anybody tell me what the benefit of the isakmp cookie 
>  > field is ?
>  > i think the cookie indicates just isakmp spi.  does it have 
>  > any function
>  > to prevent from dos attack ?
> Yes, exactly.  See RFC 2048 (ISAKMP), section 2.5.3 (Anti-Clogging Token
> ("Cookie") Creation), on pages 20-21.

of course, i've read this document.  but i think this cookie creation
couldn't prevent from dos or mitm attack.

if nodes which would start to communicate knew the local secret information,
yes, the cookie function could prevent from the attack.  but the local
secret information is known by the entity that creates a cookie.
Or does nodes have to share any local secret information before the
isakmp negotiation is started.

Follow-Ups:

Re: isakmp cookies field

From: Derek Atkins <warlord@mit.edu>

References:

RE: isakmp cookies field

From: "Aronson, David" <daronson@cryptek.com>

Prev by Date: opportunistic encryption deployment problems
Next by Date: Wes Hardaker: opportunistic encryption deployment problems
Next by thread: I-D ACTION:draft-ietf-ipsec-ike-lifetime-00.txt
Index(es):
- Main
- Thread