[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding revised identities to IKEv2

To: Uri Blumenthal <uri@lucent.com>
Subject: Re: Adding revised identities to IKEv2
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Mon, 18 Nov 2002 15:27:40 +0100
cc: Michael Thomas <mat@cisco.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of Fri, 15 Nov 2002 14:10:45 EST. <5.2.0.9.0.20021115140010.00a97298@nwimap.wh.lucent.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   And replying to Francis - I'm too lazy to check myself, but wasn't cookie 
   (which is
   IP address-based) used then as a part of signed contents in IKEv1 exchange?
   
=> the cookie is built by the other peer so the only effect is the
addresses must remain the same between all packets of a phase,
a check which is currently done even between phases.
Can you explain how cookies can forbid an attacker to change en route
or as the peer to put a rogue address in all messages?
   
Regards

Francis.Dupont@enst-bretagne.fr

Follow-Ups:
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>

References:
- Re: Adding revised identities to IKEv2
  - From: Uri Blumenthal <uri@lucent.com>

Prev by Date: RE: Suites vs a-la-carte
Next by Date: Interop IPsec organised by ETSI: declaration of interest
Prev by thread: Re: Adding revised identities to IKEv2
Next by thread: Re: Adding revised identities to IKEv2
Index(es):
- Date
- Thread