If you want to harden things, it would be better to do it much differently. If we depend on cookie being at the end, we would be way too fragile.
IKEv1 started where payload order didn't matter and I still believe that should remain true as much as possible. It doesn't stop you from putting COOKIE at the end though. Sent from my iPhone On Jan 20, 2016, at 01:28, Valery Smyslov <sva...@gmail.com> wrote: >> You should have read the rest of that paragraph: >> For MD5, the most efficient collision attacks do not have a >> compatible message difference, but it seems possible to build >> a dedicated attack with complexity below 2^39. However, for >> SHA-1, all known collision attacks use differences in every >> message words, and are thus unsuitable. >> I.e. they say that this attack is impossible with SHA-1 too for now, >> as they cannot use the 2^77 attack for SHA-1, as it only works with >> chosen-prefix collisions where this requires almost-common-prefix >> collision attack, and that does not work for SHA. To be able to attack >> SHA-1 they need to find new ways to make almost chosen-prefix attacks >> against SHA1. > > At the beginning of the paper the authors write that the attack against > IKEv2 is _almost_ practical. So, it is infeasible today, but taking > into considerations fast progress in hash analysis can become feasible > tomorrow. That's why it's better to have an additional defense > on the protocol level (like moving COOKIE at the end of the message). > It is not an urgent action that we should do in a rush, but it is an option > we should comsider for next major protocol update (if it happens). > > Regards, > Valery. > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
