[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 SA rekeying - naming an initial SA

To: Nicolas Williams <Nicolas.Williams@sun.com>
Subject: Re: IKEv2 SA rekeying - naming an initial SA
From: Stephen Kent <kent@bbn.com>
Date: Wed, 27 Aug 2003 15:10:39 -0400
Cc: Michael Richardson <mcr@sandelman.ottawa.on.ca>, ipsec@lists.tislabs.com
In-Reply-To: <20030825224250.GI1319@binky.central.sun.com>
References: <9959.1061249453@marajade.sandelman.ottawa.on.ca><p05210603bb673c47be19@[12.159.173.175]><20030819051220.GL27057@binky.central.sun.com><p05210602bb67b6145975@[12.159.173.175]><20030820032523.GK27057@binky.central.sun.com><20030820035520.GC19235@binky.central.sun.com><p05210600bb6bc6fcfd39@[128.89.88.34]><20030822153949.GY1319@binky.central.sun.com><p05210601bb6fb3045088@[128.89.88.34]><20030825224250.GI1319@binky.central.sun.com>
Sender: owner-ipsec@lists.tislabs.com

At 15:42 -0700 8/25/03, Nicolas Williams wrote:
>On Mon, Aug 25, 2003 at 08:39:36AM -0400, Stephen Kent wrote:
>>  At 8:39 -0700 8/22/03, Nicolas Williams wrote:
>>  >If there will never be anon IPsec then the AUTH values will do - but I'd
>>  >like to not discount the possibility that there might be an anon IPsec
>>  >formulation in the future.
>>
>>  Any admin managing an IPsec environment has the ability to issue
>>  credentials that are effectively anonymous, and that allows the
>>  effect of anonymous use of IPsec, in a given context.  Unless the WG
>>  changes direction in a significant way, to support unauthenticated
>>  IPsec, then it would be inappropriate to use the possibility of this
>>  change as an input in deciding on how to make a decision re this IKE
>>  v2 authentication issue.
>
>Sure, but this does not dispose of the issue - you're merely rejecting
>one rationale for specifying a "session ID" as anything other than the
>AUTH values.  But then, if the WG ignores the session ID issue we can
>default to using the AUTH values as such, since they are bound to the
>KE.

I'm rejecting an argument for why we should change the specs to 
accommodate a function that we can already provide, irrespective of 
the discussion about session IDs.

Steve

Follow-Ups:
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>

References:
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Stephen Kent <kent@bbn.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Stephen Kent <kent@bbn.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Stephen Kent <kent@bbn.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Stephen Kent <kent@bbn.com>
- Re: IKEv2 SA rekeying - naming an initial SA
  - From: Nicolas Williams <Nicolas.Williams@sun.com>

Prev by Date: Re: The remaining IKEv2 issues
Next by Date: Re: The remaining IKEv2 issues
Prev by thread: Re: IKEv2 SA rekeying - naming an initial SA
Next by thread: Re: IKEv2 SA rekeying - naming an initial SA
Index(es):
- Date
- Thread