[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 SA rekeying - naming an initial SA
At 20:25 -0700 8/19/03, Nicolas Williams wrote:
>On Tue, Aug 19, 2003 at 04:31:36PM -0400, Stephen Kent wrote:
>> Nico,
>>
>> sorry for the confusion on my part. I though you were trying to find
>> a way to ID SAs for rekeying in IKE. That was the context in which I
>> made my original suggestion. With the sorts of authentication we have
>> historically defined for use with IKE, MITM attacks are not an issue,
>> s
>>
>> IPsec has no anonymous mode, because access control is an essential
>> feature of IPsec, unlike SSL. So, no arguments based on the latter
>> paragraph of your message are likely to be appropriate in this
>> context.
>
>One would never want to use anonymous IPsec with any application *other*
>than applications which bind authentication at higher layers to IPsec
>SAs.
>
>But if one can do that, then the authenticated identities at the IPsec
>layer become irrelevant, particularly if such applications are doing
>mutual authentication at the application layer.
>
>Thus one would want to set policies that allow the use of anon IPsec
>ONLY for apps such as NFS (w/ RPCSEC_GSS & CCM).
>
>Cheers,
>
>Nico
>--
Nico,
I'm not arguing about one might do with an IP layer security protocol
in general. I am noting that this WG has made a decision about the
services offered in IPsec a number of years ago.
steve