Re: IKEv2 SA rekeying - naming an initial SA

[Stephen Kent <kent@bbn.com>]

At 20:25 -0700 8/19/03, Nicolas Williams wrote:
>On Tue, Aug 19, 2003 at 04:31:36PM -0400, Stephen Kent wrote:
>>  Nico,
>>
>>  sorry for the confusion on my part. I though you were trying to find
>>  a way to ID SAs for rekeying in IKE.  That was the context in which I
>>  made my original suggestion. With the sorts of authentication we have
>>  historically defined for use with IKE, MITM attacks are not an issue,
>>  s
>>
>>  IPsec has no anonymous mode, because access control is an essential
>>  feature of IPsec, unlike SSL.  So, no arguments based on the latter
>>  paragraph of your message are likely to be appropriate in this
>>  context.
>
>One would never want to use anonymous IPsec with any application *other*
>than applications which bind authentication at higher layers to IPsec
>SAs.
>
>But if one can do that, then the authenticated identities at the IPsec
>layer become irrelevant, particularly if such applications are doing
>mutual authentication at the application layer.
>
>Thus one would want to set policies that allow the use of anon IPsec
>ONLY for apps such as NFS (w/ RPCSEC_GSS & CCM).
>
>Cheers,
>
>Nico
>--

Nico,

I'm not arguing about one might do with an IP layer security protocol 
in general. I am noting that this WG has made a decision about the 
services offered in IPsec a number of years ago.

steve