[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
In your previous mail you wrote:
> And replying to Francis - I'm too lazy to check myself, but wasn't cookie
> (which is
> IP address-based) used then as a part of signed contents in IKEv1 exchange?
Right... if it's true, we really need to fix this
in IKEv2 (if it's not already fixed). IKE qua
protocol should be completely independent of which
src address the message originated from. Anything
that breaks that requirement needs to be fixed.
=> I disagree: the function of the cookie is to verify
the peer really exists at this address. But I agree
with the requirement for anything but this exception.
Regards
Francis.Dupont@enst-bretagne.fr