[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 SA rekeying - naming an initial SA

To: Nicolas Williams <Nicolas.Williams@sun.com>
Subject: Re: IKEv2 SA rekeying - naming an initial SA
From: Stephen Kent <kent@bbn.com>
Date: Fri, 22 Aug 2003 09:12:28 -0400
Cc: Michael Richardson <mcr@sandelman.ottawa.on.ca>, ipsec@lists.tislabs.com
In-Reply-To: <20030820035520.GC19235@binky.central.sun.com>
References: <9959.1061249453@marajade.sandelman.ottawa.on.ca><p05210603bb673c47be19@[12.159.173.175]><20030819051220.GL27057@binky.central.sun.com><p05210602bb67b6145975@[12.159.173.175]><20030820032523.GK27057@binky.central.sun.com><20030820035520.GC19235@binky.central.sun.com>
Sender: owner-ipsec@lists.tislabs.com

At 22:55 -0500 8/19/03, Nicolas Williams wrote:
>On Tue, Aug 19, 2003 at 08:25:23PM -0700, Nicolas Williams wrote:
>>  On Tue, Aug 19, 2003 at 04:31:36PM -0400, Stephen Kent wrote:
>>  > IPsec has no anonymous mode, because access control is an essential
>>  > feature of IPsec, unlike SSL.  So, no arguments based on the latter
>>  > paragraph of your message are likely to be appropriate in this
>>  > context.
>>
>>  One would never want to use anonymous IPsec with any application *other*
>>  than applications which bind authentication at higher layers to IPsec
>>  SAs.
>...
>
>I'd also like to point out that if we allow non-kg EAPs then we might as
>well allow anonymous IKEv2 :) :)
>
>And if we allow IKEv2 w/ non-kg EAPs (with loud warnings) because we
>think that others will implement the same regardless of whether it is a
>MUST NOT, then we ought to allow anon IKEv2 for the same reason (and
>also with loud warnings).
>
>And note that anon IPsec with GSS-API CCM channel bindings to the same
>is quite strong[*], compared to IPsec w/ non-kg EAPs.  The former is not
>subject to MITMs or spoofing, the latter is.
>
>[*]  As strong as the authentication and integrity protection services
>      of the underlying GSS-API mechanism.
>
>Cheers,
>
>Nico
>--

what part of "no" do you find puzzling :-)

Steve

References:
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Stephen Kent <kent@bbn.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Stephen Kent <kent@bbn.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>

Prev by Date: Re: The remaining IKEv2 issues
Next by Date: Re: Moving forward on RFC 2401-bis
Prev by thread: Re: IKEv2 SA rekeying - naming an initial SA
Next by thread: Re: IKEv2 SA rekeying - naming an initial SA
Index(es):
- Date
- Thread