Re: IKEv2 cookie question

[Charlie_Kaufman@notesdev.ibm.com]

Yes, the spec is clearly broken. Section 2.6 says to include
N(COOKIE_REQUIRED) but no such notify payload is defined. As you point out,
there is really no need for two payloads - one saying that a cookie was
required and the other saying what the cookie was. This oddness was a side
effect of moving the cookie out of the SPI and into a Notify payload.

It seems like the easiest way to fix it is to remove all references to
N(COOKIE_REQUIRED). I like it when you can fix a bug by removing things.

Any objections?

      --Charlie

> In Section 2.6 - Cookies , you give the disection for you message
structure
> using cookies:
>
>        Initiator                          Responder
>        -----------                        -----------
>        HDR(A,0), SAi1, KEi, Ni   -->
>
>                                  <-- HDR(A,0), N(COOKIE_REQUIRED),
>                                                    N(COOKIE)
>
>        HDR(A,0), N(COOKIE), SAi1, KEi, Ni   -->
>
>
> From this message I interpret that the reponder sends the initiator a
> message with two (2) notification payloads, cookie_required and cookie.
> The initiator then rebuilds the initial message with the cookie received
> from the responder in the notification cookie payload.
>
> However, in Section 3.10.1 - Notify Message Types, you only have a value
> for COOKIE and not for COOKIE_REQUIRED.
>
> All this leads me to believe that what you really meant to say is that
> the responder sends a message with one (1) notification payload
> containing the Cookie value.  The initiator takes this cookie value from
> the notification payload and sends it back to the responder in the
> rebuilt initial message.
>
> So which definition is correct?  Is there any way to fix the spec to
> clear up this ambiguity?  Thanx