Consider the case of a mobile user. It is not sufficient for the user to identify himself using his current IP address. Therefore some other identification means is necessary, perhaps in the form of NAI. Whatever this identification mechanism is will be used in the authentication process with the central repository. But in stating the problem, I want to avoid narrowing it down to be the NAI, or some other form, as that should be defined when we come to proposing a solution for the problem.
Mike ----- Original Message ----- From: Melinda Shore To: Michael Ko Cc: [email protected] Sent: Monday, November 28, 2011 7:29 PM Subject: Re: [IPsec] Discovery (Was: Preparing a charter change for P2P VPN) On 11/28/11 5:21 PM, Michael Ko wrote: > [mk] A "user" is a network node that wants to connect with a peer node, > preferably in a direct end-to-end connection. (If you can suggest a > better term than "user" that will cause less confusion, I will use it > instead.) A "user" may not be "authorized" to connect with all peer > nodes in the domain. I still find this very unclear. If a user "has" an IP address, how is the user identified, and how does the network know who it is? That is to say, there's apparently some sort of identity process/ authentication going on here prior to an IKE exchange, and I cannot tell from your requirements (and frankly I find them too vague to be called requirements, really) what that identity is, who's participating, how it's transacted, or what sort of token/ credential/whatever represents that identity, let alone how it's actually going to be used as the basis for authorizations. Then, there's the whole question of how you're going to authorize this stuff. I don't think you've got anything in here that's specific enough to be charterable. Melinda
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
