This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (May 2007)

The cookie exchange in IPsec comes under the Oakley protocol, which is a protocol of key management. The cookie exchange requires that each side send a pseudorandom number, the cookie, in the initial message, which the other side acknowledges. This acknowledgement must be repeated in the first message of the Diffie-Hellman key exchange. If the source address was forged, the opponent gets no answer. Thus, an opponent can only force a user to generate acknowledgements and not to perform the Diffie-Hellman calculation.

The recommended method for creating the cookie is to perform a fast hash (eg. MD5) over the IP source and destination addresses, the UDP source and destination ports, and a locally generated secret value.