- From: "Donato Battaglino" <
>
- To:
- Subject: cookie in ikev2
- Date: Sat, 5 May 2007 10:36:44 +0200
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=by5AJbrv+fzMH8U3q463JbsD9Mx44lsbGSNDbInejdrErW76kpy8lsnyBumdvv+WUQWwHQvJF4gqnZuqrbjok3gcbHoiOt2/+8OZL8VogaeR8HKkMaL+XzXNrxqYookIQixTLbsojycynWtxGzzITH3T0mmLqPw82vd3k6KCxRs=
Io x questa cosa ci stavo uscendo matto, poi ho visto l'RFC e ho
chiarito tutto, x evitare che qualcuno vedendo la traccia si confonda
come ho fatto io, notifico quanto segue :) : i campi cookie
nell'header file dei pacchetti ikev2 si riferiscono all' ike_spi che è
deciso da entrambi i peer della comunicazione. Il cookie vero e
proprio (per evitare attacchi DoS) è contenuto nel notification
header.
Cito RFC4306 :
" The Internet Security Association and Key Management
Protocol (ISAKMP) [MSST98] fixed message header includes two eight-
octet fields titled "cookies", and that syntax is used by both IKEv1
and IKEv2 though in IKEv2 they are referred to as the IKE SPI and
there is a new separate field in a Notify payload holding the cookie.
The initial two eight-octet fields in the header are used as a
connection identifier at the beginning of IKE packets. Each endpoint
chooses one of the two SPIs and SHOULD choose them so as to be unique
identifiers of an IKE_SA. An SPI value of zero is special and
indicates that the remote SPI value is not yet known by the sender. "
ciao a tutti
donato
- cookie in ikev2, Donato Battaglino
Archivio con motore MhonArc 2.6.16.