Paul Wouters writes: > > Actually I now noticed you changed the "SHOULD be ignored" to "MUST be > > ignored", and I think that is again bad idea. I think logging and > > auditing the ID for problem solving purposes is good idea even if it > > does not have any meaning for the authentication. I.e. at least then I > > can contact helpdesk and say that my NULL authentication connection to > > server 1.2.3.4 failed, and I have no idea why, can you help. Oh, my ID > > payload had ID_KEY_ID 0324234mkdsff43r5, if that helps you to find it > > from your logs... > > I disagree strongly. The point here is that the client is anonymous. We > should not add things that can be traced to a user. Someone will badly > abuse this "feature" like you are suggesting for "diagnostics" and > inadvertly compromise the client's anonimity.
I guess you have never done any helpdesk support trying to help people who complain that something that does not work? Having something there that would help support to find your items in the logs is always useful. The client does not have to put anything there if they do not like it, and the default setting should be that there is nothing, but allowing such things will make things easier for those poor souls doing helpdesk. I myself need to sometimes help people complaining about email problems in the iki.fi (email forwarder), and it is really hard to try to find specific email from the logs, especially as there is problems with timezones, and delays and so on, so exact time when the email was sent does not really help. Sometimes they are able to find message-id of the problematic email or the queue id in our end, and then it is so easy to find the entries in the logs and pinpoint the problem. I think the most important point of this feature is that the client is UNAUTHENTICATED, not that it is ANONYMOUS. If you want to have anonymity then you need to use TOR or similar, this is not enough. Your IP address etc will give your identity out in most cases anyways. Even if your IP address is not same than normally, your browser using the same IP address at same time will give out browser fingerprint that will most likely uniquely identify you when used with combination that you are also using null authentication in IPsec and connecting to the host X. We should understand what this feature offers, and what it can be used for. Anonymity is not offered by this feature. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
