<snip>
QUESTION:
My point of view is that
why not we do in this way
In this case, Alice will
not send her IKE_SPI value to Bob in message#1, instead Bob will send his
IKE_SPI value (acts as Cookie) to Alice in message#2.
Bob will not commit any
state until
ADVANTAGES:
1-
We can save cost/time for one
extra exchange.
2- IKE_SPI and Cookie both can be random values, we can get benefit of using Cookie as IKE_SPI or IKE_SPI as Cookie.
Initiator
Responder
----------- p;
-----------
HDR(0,0),
SAi1, KEi, Ni
-->
<-- HDR(0,B), SAr1, KEr, Nr, [CERTREQ]
HDR(A,B), SK {IDi, [CERT,] [CERTREQ,]
[IDr,]
AUTH, SAi2, TSi, TSr}
-->
<-- HDR(A,B), SK {IDr,
[CERT,] AUTH,
SAr2, TSi, TSr}
Where:
A = Initiator’s SPI
B = Responder’s
SPI
Any
comments will be highly appreciated.
Thanks in advance.
wadood
_______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec