On Thu, 7 Jan 2016, Andrew Cagney wrote:
If we are responder and send back NO_PROPOSAL_CHOSEN in response to the
first IKE message, our SPI should be 0. If the error happens later in
the exchange, then we have commited to a SPI (and they might resend with
different proposal values although very unlikely)
Yes, and doing that doesn't end well (read bugs :-). Same goes for
sending back an SPI and INVALID_KE.
I'm pretty sure we use a zero spi in those cases?
We use a hash so it does not use randomness/entropy while providing
strong pseudorandom.
Oh, yes. IKEv2 suggests one. That's even cheaper, and keeps
attackers away from the entropy pool.
Yes, we implement the suggestion from the RFC, minus the secret
versioning. This means that once a day, if we have cookies enabled,
some clients will reply with a cookie that will fail. The RFC says
that failing cookies should be treated as if no cookie was there,
so in theory we then send them another cookie and they can come
back with that. I don't know if that works in practise for libreswan
as a client :)
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
