Re: [IPsec] Call for adoption: The NULL Authentication Method in IKEv2Protocol

Tue, 09 Sep 2014 00:12:13 -0700 

Hi Graham,


I have one Q.

If endpoint receives a request to create an unauthenticated IKE SA
from the IP address, which is configured on the endpoint to be
authenticated, the request SHOULD be rejected.

Why is this not MUST be rejected ? Otherwise an attacker could trick the
responder into revealing their identity (maybe some words around this
also?).


I was thinking of two possible cases here.
First, even if the initiator was able to certify its identity, it might want to keep anonymity for this particular 
connection (for example to prevent tracking its
activity). And the other case - the responder's configuration
could be out of date and the IP address it was
configured to be authenticated could already
belong to some other, anonymous host.

Anyway, while SHOULD is pretty strong requirement,
it is not ultimate here: I'm not absolutely sure
that the above cases completely justify it over MUST.
We can discuss it.

And you are right - some (I dare to say "many")
words still need to be added into the Security Considerations
section.

Regards,
Valery.



Thanks

Graham


On 08/09/2014 07:27, "Valery Smyslov" <[email protected]> wrote:


Yes.

Obviously, as the author of the document I can see its value,
which is describet in the document itself.
And I think it's better to standardize it with
more people involved, than as individual submission.

Regards,
Valery.

----- Original Message -----
From: "Yaron Sheffer" <[email protected]>
To: "ipsec" <[email protected]>
Sent: Sunday, September 07, 2014 10:53 PM
Subject: [IPsec] Call for adoption: The NULL Authentication Method in
IKEv2Protocol



Dear working group,

This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a
WG document. Please respond to this mail with a Yes or No and a short 
rationale, at latest by Friday Sep. 12.

Thanks,
Yaron

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec


_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec




_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to