- From: "Donato Battaglino" <
>
- To:
- Subject: cookie in ikev2
- Date: Sat, 5 May 2007 12:20:50 +0200
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=r/p+HfTn41sr36p54bLGMIXepZveaVE0drfrOTf7Ha11Wq2OSO0NLqSd6NHDBxQJujoECWXXHr5K9jvrQqAb84LwFRi5vi6SOJd9ooT7yeMotRPmq5rSgggd5Qlkgm3R15aIeJCgFo041WnmeRTw82zL11Aptz7T+THo0VI6blU=
Io x questa cosa ci stavo uscendo matto, poi ho visto l'RFC e ho
chiarito tutto, x evitare che qualcuno vedendo la traccia si confonda
come ho fatto io, notifico quanto segue :) : i campi cookie
nell'header file dei pacchetti ikev2 si riferiscono all' ike_spi che è
deciso da entrambi i peer della comunicazione. Il cookie vero e
proprio (per evitare attacchi DoS) è contenuto nel notification
header.
Cito RFC4306 :
" The Internet Security Association and Key Management
Protocol (ISAKMP) [MSST98] fixed message header includes two eight-
octet fields titled "cookies", and that syntax is used by both IKEv1
and IKEv2 though in IKEv2 they are referred to as the IKE SPI and
there is a new separate field in a Notify payload holding the cookie.
The initial two eight-octet fields in the header are used as a
connection identifier at the beginning of IKE packets. Each endpoint
chooses one of the two SPIs and SHOULD choose them so as to be unique
identifiers of an IKE_SA. An SPI value of zero is special and
indicates that the remote SPI value is not yet known by the sender. "
ciao a tutti
donato
Archivio con motore MhonArc 2.6.16.