 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
Tero said:A good way to do this is to set the responder cookie to be:Cookie = <VersionIDofSecret> | Hash(Ni | IPi | SPIi | <secret>) The attack that the cookie mechanism is supposed to foil is a DoS attack using IKE_SA_INIT packets with a spoofed source. I don't see how adding the source port to the cookie calculation helps avoid this. In the NAT-T case, two initiators behind the same NAT device will have the same IP address but different ports. If their PRNG is so bad that they both generate the same Ni and SPIi, then they will get the same cookie, but in that case, that's probably the least of their problems. It still does not increase the DoS threat to the responder, because each initiator has the "right" to use the NAT box IP address. At any rate, this is not part of the protocol, and is just a suggestion for implementers. I suggest that unless someone can describe an attack on the current version, that we leave this as is. Yoav |
_______________________________________________ IPsec mailing list IPsec at ietf.org https://www.ietf.org/mailman/listinfo/ipsec