Bill
Thank you, I agree with you and you put it more
correctly.
Regards
Ahmed
Message -----
Sent: Thursday, April 11, 2002 10:08
PM
Subject: IKE vs UDP checksum.
> Since IKE is using The Diffie-Hellman protocol for key
management,
Diffie-Hellman is not a checksum or MAC protocol - it is
an unauthenticated key agreement protocol. IKE follows up the
DH exchange with an additional authentication step, which among
other things verifies a hash of the preceding messages; however, that
hash can't be verified until after the exchange is complete.
If the
UDP checksum were disabled, data corruption due to noise won't be detected
until the hash is computed and verified while processing the last pair of
messages in main mode.
> I do not see why IKE should use the 2 bytes
of UDP cheksum.
IKE runs over UDP; UDP provides a checksum as a normal
part of its operation. Many IKE implementations will never even see
the raw UDP header and its checksum, and thus would never "use" the
checksum - but the underlying UDP implementation will use it.
The
UDP checksum (as well as other unkeyed lower-layer checks, such as the
ethernet CRC) has value for IKE in that it reduces the chance that a phase
1 exchange will be spuriously aborted due to noise.
-
Bill
|