Re: IPSec Question

From: Ariel Shaqed (ascolnic_at_checkpoint.com)
Date: 09/29/03

• Next message: Mxsmanic: "Re: Meganet on Cryptogram again"
• Previous message: Mok-Kong Shen: "Re: Meganet on Cryptogram again"
• In reply to: Haitham Genedy: "IPSec Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 29 Sep 2003 16:14:18 +0200

hgenedy@nile-online.net (Haitham Genedy) writes:

> Hello
> Assuming Main Mode for phase 1 (with RSA signature) and Quick Mode for
> phase 2
> In the Main Mode the process of cookies validation is clear but in
> Quick Mode it is not at least for me.
>
> Question 1:
> Does the validation of Hash values in Quick Mode implies validation of
> cookies ? or still there is another sepearated process to validate
> cookies in addition to the hash validation?

What does "validate the cookies" mean? If you mean "prove possession
of the IKE SA formed in Phase 1", then validating the hashes proves
the peer possesses the IKE SA.

> Question 2:
> In Quick Mode, Are the Nonces genereted in the first to messages
> whatever PFS is configured or not? or they are just generated in case
> of PFS ?
>
> In other word, Nonces are related to Diffie-hellman exchange procesed
> in IKE or not ?

No, nonces are always included. They are needed for proving
"liveness" (preventing some replay attacks), but most importantly to
generate a new IPSEC SA key (and prevent an old key from being
re-used).

PFS adds a KE (Key Exchange) payload on packets 1 and 2.

See RFC2409, section 5.5 "Phase 2 - Quick Mode".

> Thanks in advance

You're welcome.

-- 
This message may contain confidential and/or proprietary information, and
is intended only for the person/entity to whom it was originally addressed.
The content of this message may contain private views and opinions which do
not constitute a formal disclosure or commitment unless specifically stated.

• Next message: Mxsmanic: "Re: Meganet on Cryptogram again"
• Previous message: Mok-Kong Shen: "Re: Meganet on Cryptogram again"
• In reply to: Haitham Genedy: "IPSec Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Cant set cookies ... I can't seem to set any cookies. ... have a validation page called from anywhere in the secure areas. ... database and go to that page when all is OK. ... (alt.php) Re: IPSec Question ... >> Does the validation of Hash values in Quick Mode implies validation of ... >> cookies in addition to the hash validation? ... > the peer possesses the IKE SA. ... "CKY_I and CKY_Y" are used together in the rest of transactions. ... (sci.crypt) IPSec Question ... In the Main Mode the process of cookies validation is clear but in ... Does the validation of Hash values in Quick Mode implies validation of ... cookies in addition to the hash validation? ... whatever PFS is configured or not? ... (sci.crypt)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint