Hi, at the IPSECME@IETF115 I made a presentation (which is actually was also presented at IETF109) about a minor flaw in IKEv2 which is concerned with cookie processing.
The flaw becomes noticeable in situation when there is high risk of packet loss and reordering and when the responder either frequently changes the secret used for cookie generation or frequently changes its mind whether it needs to request a cookie or not (is it under attack or not). In this situation there is a risk that the peers erroneously fail to authenticate each other. The details are in the presentation https://datatracker.ietf.org/meeting/115/materials/slides-115-ipsecme-revised-cookie-processing-in-ikev2-00 The possible solution is proposed in the draft https://datatracker.ietf.org/doc/draft-smyslov-ipsecme-ikev2-cookie-revised/ As directed by the chairs I'd like to initiate a discussion whether we need to address this flaw and if yes, then whether the proposed approach is reasonable. Opinions? Regards, Valery. _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
