[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 SA rekeying - naming an initial SA



On Wed, Aug 27, 2003 at 03:10:39PM -0400, Stephen Kent wrote:
> At 15:42 -0700 8/25/03, Nicolas Williams wrote:
> >On Mon, Aug 25, 2003 at 08:39:36AM -0400, Stephen Kent wrote:
> >> At 8:39 -0700 8/22/03, Nicolas Williams wrote:
> >> >If there will never be anon IPsec then the AUTH values will do - but I'd
> >> >like to not discount the possibility that there might be an anon IPsec
> >> >formulation in the future.
> >>
> >> Any admin managing an IPsec environment has the ability to issue
> >> credentials that are effectively anonymous, and that allows the
> >> effect of anonymous use of IPsec, in a given context.  Unless the WG
> >> changes direction in a significant way, to support unauthenticated
> >> IPsec, then it would be inappropriate to use the possibility of this
> >> change as an input in deciding on how to make a decision re this IKE
> >> v2 authentication issue.
> >
> >Sure, but this does not dispose of the issue - you're merely rejecting
> >one rationale for specifying a "session ID" as anything other than the
> >AUTH values.  But then, if the WG ignores the session ID issue we can
> >default to using the AUTH values as such, since they are bound to the
> >KE.
> 
> I'm rejecting an argument for why we should change the specs to 
> accommodate a function that we can already provide, irrespective of 
> the discussion about session IDs.

I'll wait a bit for answers from other participants.  If there are none
I will go ahead and use the AUTH values as the session ID to bind
GSS-API contexts to.

I would rather see a session ID defined that is bound to the KE but not
to the authentication.

Cheers,

Nico
--