MyCookie
The two peers generate a pseudo-random number that is used for anticlogging purposes. These cookies are based on a unique identifier for each peer (src and destination IP addresses) and therefore protect against replay attacks. The ISAKMP RFC states that the method of creating the cookie is implementation-dependent but suggests performing a hash of the IP source and destination address, the UDP source and destination ports, a locally generated random value, time, and date. The cookie becomes a unique identifier for the rest of the messages that are exchanged in IKE negotiation.
Generation of the initiator cookie- An 8-byte pseudo-random number used for anti-clogging
Generation of the responder cookie- An 8-byte pseudo-random number used for anti-clogging
CKY-R = md5{(src_ip, dest_ip), random number, time, and date}
IKE uses payloads and packet formats defined in the ISAKMP protocol to do the actual exchange of information. The packets exchanged consist of the ISAKMP header and a series of payloads that are used to carry the information needed to carry out the negotiation.
CKY-I = md5{(src_ip, dest_ip), random number, time, and date}
Generation of the responder cookie- An 8-byte pseudo-random number used for anti-clogging
CKY-R = md5{(src_ip, dest_ip), random number, time, and date}
IKE uses payloads and packet formats defined in the ISAKMP protocol to do the actual exchange of information. The packets exchanged consist of the ISAKMP header and a series of payloads that are used to carry the information needed to carry out the negotiation.
0 comments:
Post a Comment