Re: Do ipsec vendors care about privacy?

[Antonio Forzieri <antonio.forzieri@cefriel.it>]

Yoav Nir wrote:
[SNIP]

> If the client contacts the server and is able to produce a full
> ID_DER_ASN1_DN then we know it is not just a polling attack.  But what if
> the client presents a ID_IPV4_ADDR?  The IDr payload in message 3 was not
> intended to be used as a security measure.  It was intended as a hint to the
> gateway as to which identity it should authenticate.
Agreed.

I think that if Bob doesn't receive IDi and AUTH payloads in message 2 
then he understand that EAP authentication is going to be used.
Alice *MUST* send Bob a *valid IDr*. Valid IDs are all defined in 
draft-ietf-ipsec-ikev2-05.txt except ID_IPV4_ADDR and ID_IPV6_ADDR.
In tha case Bob receives such an IDr (invalid) he *MUST* send the 
notification message Yoav defined below.

What do the other think?

[SNIP]
>         INVALID-RESPONTER-ID                     37
>             Indicates that the initiator has sent an unacceptable
>             responder ID as part of the initial negotiation.  This
>             only causes an error if the initiator has not sent its
>             own ID.

-- 
------------------------------------------------
Antonio Forzieri
CEFRIEL - Politecnico di Milano
Tesista Area E-Service Tecnologies
Tel: 02-23954.334 - email: forzieri@cefriel.it
ICQ# 177683894
------------------------------------------------