Yaron Sheffer writes: > Here's a concrete rewording proposal. > > Old: > > The term "cookies" originates with Karn and Simpson [PHOTURIS] in > Photuris, an early proposal for key management with IPsec, and it > has persisted. The Internet Security Association and Key Management > Protocol (ISAKMP) [ISAKMP] fixed message header includes two > eight-octet fields titled "cookies", and that syntax is used by both > IKEv1 and IKEv2, although in IKEv2 they are referred to as the "IKE > SPI" and there is a new separate field in a Notify payload holding > the cookie. The initial two eight-octet fields in the header are > used as a connection identifier at the beginning of IKE packets. > Each endpoint chooses one of the two SPIs and MUST choose them so as > to be unique identifiers of an IKE SA. An SPI value of zero is > special and indicates that the remote SPI value is not yet known by > the sender. > > New: > > The initial two eight-octet fields in the header, termed "IKE SPIs", > are used as a connection identifier at the beginning of IKE packets. > Each endpoint chooses one of the two SPIs and MUST choose them so as > to be unique identifiers of an IKE SA. An SPI value of zero is > special and indicates that the remote SPI value is not yet known by > the sender. > > [Add as the last paragraph of 2.6:] > > A note on terminology: the term "cookies" originates with Karn and > Simpson [PHOTURIS] in Photuris, an early proposal for key management > with IPsec, and it has persisted. The Internet Security Association > and Key Management Protocol (ISAKMP) [ISAKMP] fixed message header > includes two eight-octet fields titled "cookies", and that syntax is > used by both IKEv1 and IKEv2, although in IKEv2 they are referred to > as the "IKE SPI" and there is a new separate field in a Notify > payload holding the cookie.
That change is fine too (altough I could also accept leaving it as it is). -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
