[Swan-dev] Question on get_cookie() code

Paul Wouters paul at nohats.ca
Thu Jan 7 19:58:47 UTC 2016

On Thu, 7 Jan 2016, Andrew Cagney wrote:

>> If we are responder and send back NO_PROPOSAL_CHOSEN in response to the
>> first IKE message, our SPI should be 0. If the error happens later in
>> the exchange, then we have commited to a SPI (and they might resend with
>> different proposal values although very unlikely)
> Yes, and doing that doesn't end well (read bugs :-).  Same goes for
> sending back an SPI and INVALID_KE.

I'm pretty sure we use a zero spi in those cases?

>> We use a hash so it does not use randomness/entropy while providing
>> strong pseudorandom.
> Oh, yes.  IKEv2 suggests one.  That's even cheaper, and keeps
> attackers away from the entropy pool.

Yes, we implement the suggestion from the RFC, minus the secret
versioning. This means that once a day, if we have cookies enabled,
some clients will reply with a cookie that will fail. The RFC says
that failing cookies should be treated as if no cookie was there,
so in theory we then send them another cookie and they can come
back with that. I don't know if that works in practise for libreswan
as a client :)


More information about the Swan-dev mailing list