[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: Calculating Cookies for ISAKMP - Header in IKE



Hello,

> but if you just send a random cookie how do you know if someone else created
> that cookie to make it look like it comes from the one you're trying to
> correspond with ?

> Using MD5 based on the IP-address in question and some secret value makes
> the outcome unique to both parties right ? So in that way you know that it's
> the same originator of the connection request ;

> Or do I understand it wrongly ? Please correct me if I'm off-track;
I think you are wrong. Each of the two computers has an own secret
value, they donīt share a common one (how should they anyway? before
the first message they canīt have a shared secret). So one computer
canīt check if the other computerīs cookie is ok, only his own (and if
you look at the RFCs, thats really all they check, their own cookie). But
that can also be accomplished without the cryptographic calculation, i
just have to save a list with all cookies i generated and sent. This was
pointed out by the others. The only reason for the MD5 - cookies would
be a stateless protocol where i donīt use any saved information ( here
the list of cookies i sent) and still have some security. Since IKE
needs to save some information anyway it doesnīt matter if i have to
save one additional cookie per session or not.

br

Marco



Follow-Ups: References: