At 11:22 AM +0530 7/1/09, Mohini Kaur wrote: >I have a doubt regarding the value of Responder cookie in ISAKMP protocol. > >When I read RFC 2408, Sec 2.5.3, it tells that the initiator and responder >cookie must be set to a random value.
That section does not say that at all. It says "The details of cookie generation are implementation dependent". That is followed by suggestions. >What I understand from this is, the responder cookie can have any value >disregard to the cookie value from initiator. Correct. >But when I verify this in a Cisco device (initiator), it generates ISAKMP main >mode message with initiator cookie (let it be X). > >When I send an ISAKMP main mode message, with responder cookie same as Cisco >device (X) or incrementing it by one (X+1), it is discarding. (However it is >processing the message with other values). > >Again when I do the same in a Linux machine as in Cisco, it is discarding the >responder cookie with same value (X), however processing responder cookie with >value incremented by one (X+1). > >1. Could someone explain me why Cisco and Linux validates ISAKMP main mode >message with responder cookie differently? And which is the right validation? You need to talk to the particular vendors about your question. This mailing list is not appropriate for that. >2. Is there any other RFCs where I can get more information about validation >of ISAKMP main mode message with responder cookie? I believe that RFC 2408 is the correct RFC, but it doesn't cover what a system can and cannot do to validate a cookie. --Paul Hoffman, Director --VPN Consortium _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
