[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 cookie question
Uri is correct. (good catch!)
The reason for having both N(COOKIE_REQUIRED) and N(COOKIE)
is that IKEv2 has high numbers for type codes for notifies
for "just information" vs low numbers for type codes of
notifies for "errors". Since Alice also sends a COOKIE
in the next message, then that would argue for making
the cookie notification payload a "just information" type.
But since Bob is explaining why he's refusing the connection
attempt, it would argue for being an error type when Bob sends it.
So the spec does it by having two payloads...one an error (COOKIE_REQUIRED),
and the other (COOKIE) passing the cookie.
Certainly there are lots of perfectly reasonable ways of
doing this (for instance, just removing the N(COOKIE_REQUIRED)
and not having it look like an "error", or having two type
codes for COOKIE, depending on which direction the COOKIE is
travelling). Nothing really wrong with how Charlie chose to
do it, other than as Uri points out, the spec is inconsistent.
So probably the easiest change is to add a low-number notification
type for COOKIE_REQUIRED, e.g.,
COOKIE_REQUIRED 12
IKE_SA_INIT rejected because no cookie was included.
>>Is there any way to fix the spec to clear up this ambiguity?
err...yeah...I believe it's not too late at this point. Thanks, again.
Radia
From: Uri Meth <umeth@columbia.sparta.com>
In the MSEC group, there has been a proposal to potentially add cookies
to the GSAKMP protocol. Since IKE had already dealt with this issue I
looked into how you did cookies. I am very intrigued by your use of
cookies, but in reading through the IKEv2 spec I have some questions.
Either I do not understand your syntax, something is missing, or there
is some mis-information. Please help me clarify what is happening.
In Section 2.6 - Cookies , you give the disection for you message
structure
using cookies:
Initiator Responder
----------- -----------
HDR(A,0), SAi1, KEi, Ni -->
<-- HDR(A,0), N(COOKIE_REQUIRED),
N(COOKIE)
HDR(A,0), N(COOKIE), SAi1, KEi, Ni -->
From this message I interpret that the reponder sends the initiator a
message with two (2) notification payloads, cookie_required and cookie.
The initiator then rebuilds the initial message with the cookie received
from the responder in the notification cookie payload.
However, in Section 3.10.1 - Notify Message Types, you only have a value
for COOKIE and not for COOKIE_REQUIRED.
All this leads me to believe that what you really meant to say is that
the responder sends a message with one (1) notification payload
containing the Cookie value. The initiator takes this cookie value from
the notification payload and sends it back to the responder in the
rebuilt initial message.
So which definition is correct? Is there any way to fix the spec to
clear up this ambiguity? Thanx
UM
--
Uri Meth (410) 872 - 1515 x233 (voice)
SPARTA, Inc. (410) 872 - 8079 (fax)
7075 Samuel Morse Drive umeth@sparta.com
Columbia, MD 21046