Re: [Ipsec] comment on "empty message" in IKEv2 draft

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   There would be easy fix for that, simply server includes the N(COOKIE)
   notify payload inside encrypted payload in the DPD, and then we simply
   add text to the draft-ietf-ipsec-ike2 draft saying inside the "COOKIE
   16390" section saying:
   
   	If this notification mesasge is received in any request, it
   	MUST be included in the reply packet, with the exactly same
   	data.
   
=> A nonce payload should have the same result, quoting the IKEv2 draft:

   The Nonce Payload ... contains random data used to guarantee liveness
   during an exchange and protect against replay attacks.

   I don't know what is better, COOKIE notifications or nonces. The only
   visible difference is the length (1-64 for cookies, 16-256 for nonces)
   but this is not enough to choose. Same about the stateless property
   of cookies, here we have an IKE SA so already some state...
   What do readers of this mailing-list prefer? In any case we'll get
   this mechanism in MOBIKE.

Regards

Francis.Dupont@enst-bretagne.fr

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec