[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] comment on "empty message" in IKEv2 draft

To: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Subject: Re: [Ipsec] comment on "empty message" in IKEv2 draft
From: Tero Kivinen <kivinen@iki.fi>
Date: Mon, 16 Aug 2004 11:32:31 +0300
Cc: Yonghui Cheng <cheng@juniper.net>, ipsec@ietf.org
In-reply-to: <200408131132.i7DBWoSj069584@givry.rennes.enst-bretagne.fr>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <16668.37649.462812.11513@fireball.kivinen.iki.fi><200408131132.i7DBWoSj069584@givry.rennes.enst-bretagne.fr>
Sender: ipsec-bounces@ietf.org

Francis Dupont writes:
> => A nonce payload should have the same result, quoting the IKEv2 draft:

Nope. 

>    The Nonce Payload ... contains random data used to guarantee liveness
>    during an exchange and protect against replay attacks.

Nonce are always generated by the sender, and it is random nonce,
which is used during the auth process. It is not replied back in any
of the exchages, so it would not really guarantee liveness in this
case. 

>    I don't know what is better, COOKIE notifications or nonces. The only
>    visible difference is the length (1-64 for cookies, 16-256 for nonces)
>    but this is not enough to choose. Same about the stateless property
>    of cookies, here we have an IKE SA so already some state...
>    What do readers of this mailing-list prefer? In any case we'll get
>    this mechanism in MOBIKE.

COOKIE is the only option, nonce is not an option, as it is not sent back.
-- 
kivinen@safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] comment on "empty message" in IKEv2 draft
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- [Ipsec] comment on "empty message" in IKEv2 draft
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: [Ipsec] comment on "empty message" in IKEv2 draft
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: [Ipsec] Returned mail: see transcript for details
Next by Date: Re: [Ipsec] comment on "empty message" in IKEv2 draft
Previous by thread: Re: [Ipsec] comment on "empty message" in IKEv2 draft
Next by thread: Re: [Ipsec] comment on "empty message" in IKEv2 draft
Index(es):
- Date
- Thread