[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Changing the cookie order in IKEv2

To: ipsec@lists.tislabs.com
Subject: Changing the cookie order in IKEv2
From: Charlie_Kaufman@notesdev.ibm.com
Date: Sun, 24 Nov 2002 21:40:24 -0500
Sender: owner-ipsec@lists.tislabs.com





At the IETF meeting, Tero Kivinen explained to me some of the unnatural
acts NATs perform on IKEv1 in order to "transparently" support IPsec SAs
through NATs. One of the things they sometimes do is look at the "cookies"
in the header of IKEv1 messages in order to figure out how to route
packets. One of the changes I made in specifying IKEv2 was to change the
order of the cookies in messages going from responder to initiator so that
an endpoint could always identify an SA based on the first cookie in the
packet alone. I made the change both because there were certain fringe
cases where it was needed (because otherwise two SAs might have the same
cookie pair) and because it seemed more elegant and consistent with IP.

But the fringe case can be disambiguated using the I(nitiator) bit in the
header, and changing the cookie order will break certain NATs which
apparently will work unmodified with IKEv2 if we don't change the cookie
order.

So I'd like to propose that the cookie order be changed back to what it was
in IKEv1, with the IKE SA initiator's cookie followed by the IKE SA
responder's cookie regardless of the direction of the packet.

Any objections?

          --Charlie

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Prev by Date: RE: Counter Mode Security: Analysis and Recommendations
Next by Date: Re: Generating Keying Material
Prev by thread: NIST comments on counter mode
Next by thread: Protection against DoS attack
Index(es):
- Date
- Thread