[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Calculating Cookies for ISAKMP - Header in IKE
but if you just send a random cookie how do you know if someone else created
that cookie to make it look like it comes from the one you're trying to
correspond with ?
Using MD5 based on the IP-address in question and some secret value makes
the outcome unique to both parties right ? So in that way you know that it's
the same originator of the connection request ;
Or do I understand it wrongly ? Please correct me if I'm off-track;
HG
----- Original Message -----
From: "Marco Ender" <marco.ender@dungeonmaster.at>
To: <ipsec@lists.tislabs.com>
Sent: Tuesday, October 09, 2001 9:45 PM
Subject: Q: Calculating Cookies for ISAKMP - Header in IKE
> Hi,
>
> just a small question about the Cookie - Generation as mentioned under
> 3.3 in RFC 2522 "Photuris: Session-Key Management Protocol" (RFC 2408
> "ISAKMP" points to it with [Karn]):
>
> First the Initiator Cookie is calculated with a rather complicated
> method (MD5 over some attributes like a secret value, the source - and
> destination ip adress etc.). Then, when receiving the answer from the
> responder, the initiator - cookie in that message is compared to a
> recalculated cookie, or alternatively the cached sent cookie. This is
> to deny DoS - Attacks on the later Diffie-Hellman calculation.
>
> Now my question: Why not just generate a random cookie? I can check
> this cookie just as i do it with the more complex cookie and have the
> same result, either i sent the cookie or i didnīt?
>
> What do i miss to understand?
>
> thank you in advance for your patience to read (and answer) my
> question,
>
> Marco
>
>
Follow-Ups:
References: