[IPsec] IPSec responder cookie

Mohini Kaur <mohini_kaur@hotmail.com> Thu, 25 June 2009 12:38 UTC

Return-Path: <mohini_kaur@hotmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E2B2728C136 for <ipsec@core3.amsl.com>; Thu, 25 Jun 2009 05:38:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id clZvsJPLnnfq for <ipsec@core3.amsl.com>; Thu, 25 Jun 2009 05:37:59 -0700 (PDT)
Received: from blu0-omc2-s37.blu0.hotmail.com (blu0-omc2-s37.blu0.hotmail.com [65.55.111.112]) by core3.amsl.com (Postfix) with ESMTP id BC32D28C12B for <ipsec@ietf.org>; Thu, 25 Jun 2009 05:37:59 -0700 (PDT)
Received: from BLU104-W9 ([65.55.111.72]) by blu0-omc2-s37.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 25 Jun 2009 05:34:50 -0700
Message-ID: <BLU104-W99C08588D08D0468AF49D99340@phx.gbl>
Content-Type: multipart/alternative; boundary="_00103650-bc31-40fd-90d9-f8f4dbf4c370_"
X-Originating-IP: [125.22.248.230]
From: Mohini Kaur <mohini_kaur@hotmail.com>
To: ipsec@ietf.org
Date: Thu, 25 Jun 2009 18:04:49 +0530
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 25 Jun 2009 12:34:50.0201 (UTC) FILETIME=[5501BC90:01C9F591]
Subject: [IPsec] IPSec responder cookie
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2009 12:44:18 -0000









Hi,

I have a doubt regarding the value of Responder cookie in ISAKMP protocol.

When I read RFC 2408, Sec 2.5.3, it tells that the initiator and responder cookie must be set to a random value. 

What I understand from this is, the responder cookie can have any value disregard to the cookie value from initiator.

But when I verify this in a Cisco device (initiator), it generates ISAKMP main mode message with initiator cookie (let it be X).

When
I send an ISAKMP main mode message, with responder cookie same as Cisco
device (X) or incrementing it by one (X+1), it is discarding. (However
it is processing the message with other values).

Again
when I do the same in a Linux machine as in Cisco, it is discarding the
responder cookie with same value (X), however processing responder
cookie with value incremented by one (X+1).

1.
Could someone explain me why Cisco and Linux validates ISAKMP main mode
message with responder cookie differently? And which is the right
validation?

2. Is there any other RFCs where I can get more information about validation of ISAKMP main mode message with responder cookie?

Thanks in advance.

Regards
Mohini

_________________________________________________________________
Stay updated! Add Facebook, LinkedIn, MySpace & Hi5  friends to your Windows Live network instantly. Add Now!
http://profile.live.com/webactivities/?mkt=en-in