[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 SA rekeying - naming an initial SA

To: Stephen Kent <kent@bbn.com>
Subject: Re: IKEv2 SA rekeying - naming an initial SA
From: Nicolas Williams <Nicolas.Williams@sun.com>
Date: Tue, 19 Aug 2003 20:25:24 -0700
Cc: Michael Richardson <mcr@sandelman.ottawa.on.ca>, ipsec@lists.tislabs.com
In-Reply-To: <p05210602bb67b6145975@[12.159.173.175]>
References: <9959.1061249453@marajade.sandelman.ottawa.on.ca> <p05210603bb673c47be19@[12.159.173.175]> <20030819051220.GL27057@binky.central.sun.com> <p05210602bb67b6145975@[12.159.173.175]>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mutt/1.4i

On Tue, Aug 19, 2003 at 04:31:36PM -0400, Stephen Kent wrote:
> Nico,
> 
> sorry for the confusion on my part. I though you were trying to find 
> a way to ID SAs for rekeying in IKE.  That was the context in which I 
> made my original suggestion. With the sorts of authentication we have 
> historically defined for use with IKE, MITM attacks are not an issue, 
> s
> 
> IPsec has no anonymous mode, because access control is an essential 
> feature of IPsec, unlike SSL.  So, no arguments based on the latter 
> paragraph of your message are likely to be appropriate in this 
> context.

One would never want to use anonymous IPsec with any application *other*
than applications which bind authentication at higher layers to IPsec
SAs.

But if one can do that, then the authenticated identities at the IPsec
layer become irrelevant, particularly if such applications are doing
mutual authentication at the application layer.

Thus one would want to set policies that allow the use of anon IPsec
ONLY for apps such as NFS (w/ RPCSEC_GSS & CCM).

Cheers,

Nico
--

Follow-Ups:
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Stephen Kent <kent@bbn.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>

References:
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Stephen Kent <kent@bbn.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: IKEv2 SA rekeying - naming an initial SA
Next by Date: Re: The remaining IKEv2 issues
Prev by thread: Re: IKEv2 SA rekeying - naming an initial SA
Next by thread: Re: IKEv2 SA rekeying - naming an initial SA
Index(es):
- Date
- Thread