Q: Calculating Cookies for ISAKMP - Header in IKE

[Marco Ender <marco.ender@dungeonmaster.at>]

Hi,

just a small question about the Cookie - Generation as mentioned under
3.3 in RFC 2522 "Photuris: Session-Key Management Protocol" (RFC 2408
"ISAKMP" points to it with [Karn]):

First the Initiator Cookie is calculated with a rather complicated
method (MD5 over some attributes like a secret value, the source - and
destination ip adress etc.). Then, when receiving the answer from the
responder, the initiator - cookie in that message is compared to a
recalculated cookie, or alternatively the cached sent cookie. This is
to deny DoS - Attacks on the later Diffie-Hellman calculation.

Now my question: Why not just generate a random cookie? I can check
this cookie just as i do it with the more complex cookie and have the
same result, either i sent the cookie or i didnīt?

What do i miss to understand?

thank you in advance for your patience to read (and answer) my
question,

Marco

---

Follow-Ups:

• Re: Calculating Cookies for ISAKMP - Header in IKE
• From: "Hong Gie Ong" <stuonghg@cwc.nus.edu.sg>

---

• Prev by Date: What is DVPN(Dynamic VPN) ?
• Next by Date: who is implementing rekey and how
• Prev by thread: RE: What is DVPN(Dynamic VPN) ?
• Next by thread: Re: Calculating Cookies for ISAKMP - Header in IKE
• Index(es):
  • Main
  • Thread