SOI QUESTIONS: 2.1 Identity protection questions?

["Theodore Ts'o" <tytso@mit.edu>]

Notes from the wg chair:

Protecting *both* the identity the initiator and the responder against
active attacks is very difficult --- and probably impossible.  In most
cases, the client identity is much more important to protect than the
responder, since often the responder is identified by its DNS name and
fixed IP address.   

Some people believe that that there will be applications where the
responder's identity may need to be protected (i.e., the home Windows NT
server on a cable modem).  One way of handling this is to introduce an
extra half-round-trip by having the responder request that the initiator
and responder "switch roles", so that where previously the responder
would reveal its identity, the initiator would be forced to reveal its
identity first instead.  If the initiator isn't happy with this state of
affairs, it can always decide to abort the authentication exchange at
that point.  Of course, adding a feature like this does add complexity
to the entire protocol, so one of the first tradeoffs we'll need to
tackle is whether supporting this kind of flexibility is warranted.

OK, that should kick off the discussion.  IPSEC wg, please answer the
questions:

2.1.A.)  Does SOI need to provide protection against passive
attacks for the initiator?

2.1.B.)  Does SOI need to provide protection against active
attacks for the initiator?

2.1.C.)  Does SOI need to provide protection against passive
attacks for the responder?

2.1.D.)  Does SOI need to provide protection against active
attacks for the responder?

Implications from the Scenarios:

VPN: <<<In a multiple administrative domain network, identity
protection of both IPsec endpoints is important.>>> [[[2.1]]]

End-to-End: <<<Hiding the identity of both parties in the exchange is
desirable.>>> [[[2.1]]]