Hi Thanks for the clarifications.
I really like the idea of this - as Daniel has said it's well suited for IoT, but I'm wondering if this could then lend IKEv2 into a similar concept as 'https' - secure channel and authentication of the headend and then initiators credentials are sent by some other means.. As you say I think it needs a lot of thought into the security considerations. cheers On 09/09/2014 08:11, "Valery Smyslov" <[email protected]> wrote: >Hi Graham, > >> I have one Q. >> >> If endpoint receives a request to create an unauthenticated IKE SA >> from the IP address, which is configured on the endpoint to be >> authenticated, the request SHOULD be rejected. >> >> Why is this not MUST be rejected ? Otherwise an attacker could trick the >> responder into revealing their identity (maybe some words around this >> also?). > >I was thinking of two possible cases here. >First, even if the initiator was able to certify its identity, >it might want to keep anonymity for this particular >connection (for example to prevent tracking its >activity). And the other case - the responder's configuration >could be out of date and the IP address it was >configured to be authenticated could already >belong to some other, anonymous host. > >Anyway, while SHOULD is pretty strong requirement, >it is not ultimate here: I'm not absolutely sure >that the above cases completely justify it over MUST. >We can discuss it. > >And you are right - some (I dare to say "many") >words still need to be added into the Security Considerations >section. > >Regards, >Valery. > > >> Thanks >> >> Graham >> >> >> On 08/09/2014 07:27, "Valery Smyslov" <[email protected]> wrote: >> >>>Yes. >>> >>>Obviously, as the author of the document I can see its value, >>>which is describet in the document itself. >>>And I think it's better to standardize it with >>>more people involved, than as individual submission. >>> >>>Regards, >>>Valery. >>> >>>----- Original Message ----- >>>From: "Yaron Sheffer" <[email protected]> >>>To: "ipsec" <[email protected]> >>>Sent: Sunday, September 07, 2014 10:53 PM >>>Subject: [IPsec] Call for adoption: The NULL Authentication Method in >>>IKEv2Protocol >>> >>> >>>> Dear working group, >>>> >>>> This is a call for adopting draft-smyslov-ipsecme-ikev2-null-auth as a >>>>WG >>>> document. Please respond to this mail with a Yes or No and a short >>>> rationale, at latest by Friday Sep. 12. >>>> >>>> Thanks, >>>> Yaron >>>> >>>> _______________________________________________ >>>> IPsec mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/ipsec >>> >>>_______________________________________________ >>>IPsec mailing list >>>[email protected] >>>https://www.ietf.org/mailman/listinfo/ipsec >>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
